Pix to Cisco 3000 VPN LAN-to-LAN help needed

[chucksel]

I am trying to set up a LAN-to-LAN connection between a Cisco 3000 VPN concentrator and a PIX 501 firewall. When looking at the Live Event Log on the 3000 Concentrator I get the message:

43618 09/04/2003 16:15:55.370 SEV=4 BMGT/29 RPT=10
Attempting to specify an Aggregate Group reservation [ 961150977 bps ] on Group [ 67.118.XXX.114 ] Interface [ 2 ] which is outside the range of a minimum of [8000 bps ] to a maximum of [ 100000000 bps ] (note: the true max is dependant up on the interface link rate to which the group is applied).

Doing a Google search on "Attempting to specify an Aggregate Group reservation" I came up with this:

On a VPN 3000 Concentrator running Release 3.6 code, a bandwidth management policy is created and applied to a group reserving some portion of the link bandwidth using an aggregate reservation. If this reservation is then changed, the previous committed bandwidth is not freed up first when calculating whether enough bandwidth is available for use.

So, if 600 kbps is reserved from a link of 1544 kbps to start with, and this is then modified to reserve 1000 kbps, an error is generated and the modification is refused. The error shown is as follows:

83 11/27/2000 16:30:44.620 SEV=4 BMGT/31 RPT=7

Attempting to specify an Aggregate Group reservation [ 1000000 bps ] on Group [ ADC ] Interface [ 1 ] which added to the current reservation of the interface [ 600000 bps ] exceeds the link rate [ 1544000 bps ] to which it is being applied.

No bandwidth is reserved by any other policy.

Workaround:

Remove the aggregate reservation from the group first, and then to apply the new setting.
--------------------------------------
I checked the entire 3000 config and no bandwidth policies are in place.

Any ideas?


Thanks as always,
Chuck

 

[themut]

If I remember correctly there was a bug filed on Cisco with this issue. If you have a CCO account, I would advise you to use the bug lookup toool and try to find this bug.

 

[themut]

Found the bugger CSCdz09899 you will only be able to see it if you have a valid CCO account. Hope this helps!

 

[scrimmy]

Chucksel

I have inherited a project to connect remote sites to our HQ. We have a Concentrator 3000 at our HQ and will be using PIX-501's on the remote sites to create a lan-to-lan link from HQ.

As you are using the same hardware configuration could you please post a working PIX-501 config so I can see where I am going wrong (obviously change necessary IP addresses)

I would like to keep what little hair I have left on my head but I fear I will be pulling more out before I have this project sorted out.

Many thanks

 

[chucksel]

Scrimmy,

I am not a PIX expert but know quite a bit from personal hair loss. E-mail me your contact info including your e-mail address and I will help where and IF I am able due to time constraints and expertise.

Chuck
chucksel@hotmail.com

Thanks as always,
Chuck

 

[scrimmy]

Chuck,

Many thanks for the offer of help.
I have now been able to connect as required.
I had set the concentrator ipsec lan-to-lan local network ip address to one network (x.x.x.x/24) and the PIX-501 access-list to to the x.x.x.x/8 network. Set this the same and all works great.

Again many thanks

Scrimmy

 

[chucksel]

Great. Glad to hear it!

Thanks as always,
Chuck