I upgraded a PIX 515E from 6.3(5) to 7.2(2. Upgrade went fine except my client VPN is not working (was working before the software upgrade). Relevant config:
access-list nonat extended permit ip 10.1.0.0 255.255.248.0 192.168.0.0 255.255.255.0
ip local pool vpnpool 192.168.0.1-192.168.0.11
nat (inside) 0 access-list nonat
group-policy admin internal
group-policy admin attributes
dns-server value 10.180.1.240
vpn-idle-timeout 60
split-tunnel-policy tunnelspecified
split-tunnel-network-list value nonat
default-domain value mydomain.com
crypto ipsec transform-set vpn esp-aes-256 esp-md5-hmac
crypto dynamic-map clvpn 10 set transform-set vpn
crypto map vpnmap 10 ipsec-isakmp dynamic clvpn
crypto map vpnmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group DefaultRAGroup general-attributes
tunnel-group admin type ipsec-ra
tunnel-group admin general-attributes
address-pool vpnpool
default-group-policy admin
tunnel-group admin ipsec-attributes
pre-shared-key *
When I try to connect with my VPN client (4.6.4)the client stays on "Contacting the security gateway at...)
The only info I am getting from debug (debug crypto ipsec & debug crypto isakmp) is when I cancel the VPN client attempt:
Nov 24 18:37:45 [IKEv1]: Group = admin, IP = xxx.xxx.xxx.xxx, Removing peer from peer table failed, no match!
Nov 24 18:37:45 [IKEv1]: Group = admin, IP = xxx.xxx.xxx.xxx, Error: Unable to remove PeerTblEntry
Any idea why my vpn is not working?
Thanks for any help you can offer.
access-list nonat extended permit ip 10.1.0.0 255.255.248.0 192.168.0.0 255.255.255.0
ip local pool vpnpool 192.168.0.1-192.168.0.11
nat (inside) 0 access-list nonat
group-policy admin internal
group-policy admin attributes
dns-server value 10.180.1.240
vpn-idle-timeout 60
split-tunnel-policy tunnelspecified
split-tunnel-network-list value nonat
default-domain value mydomain.com
crypto ipsec transform-set vpn esp-aes-256 esp-md5-hmac
crypto dynamic-map clvpn 10 set transform-set vpn
crypto map vpnmap 10 ipsec-isakmp dynamic clvpn
crypto map vpnmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group DefaultRAGroup general-attributes
tunnel-group admin type ipsec-ra
tunnel-group admin general-attributes
address-pool vpnpool
default-group-policy admin
tunnel-group admin ipsec-attributes
pre-shared-key *
When I try to connect with my VPN client (4.6.4)the client stays on "Contacting the security gateway at...)
The only info I am getting from debug (debug crypto ipsec & debug crypto isakmp) is when I cancel the VPN client attempt:
Nov 24 18:37:45 [IKEv1]: Group = admin, IP = xxx.xxx.xxx.xxx, Removing peer from peer table failed, no match!
Nov 24 18:37:45 [IKEv1]: Group = admin, IP = xxx.xxx.xxx.xxx, Error: Unable to remove PeerTblEntry
Any idea why my vpn is not working?
Thanks for any help you can offer.