Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
818
Views
0
Helpful
6
Replies

PIX 7.2(2) Remote Access VPN issue

l.tating
Level 1
Level 1

‎02-26-2007 01:29 AM - edited ‎03-11-2019 02:38 AM

Hello,

I have been trying to connect a VPN Client for remote access to a PIX515E (using version 7.2(2). I can get to the user authentication window, but after I enter the username and password, I get the status "Not Connected". I tried to run "debug crypto isakmp" but only the following screen output is appearing:

PIX(config)#

Jun 27 17:00:08 [IKEv1]: Group = testgroup, Username = testuser, IP

= 173.5.1.4, Removing peer from peer table failed, no match!

Jun 27 17:00:08 [IKEv1]: Group = testgroup, Username = testuser, IP = 173.5.1.4,

Error: Unable to remove PeerTblEntry

Can anybody help me identify the cause of the problem? Your response will be greatly appreciated.

Lorenz

Labels:
0 Helpful
6 Replies 6

at
Level 1
Level 1

‎02-26-2007 06:31 AM

hi

i think you should define nonat for the remote access ip-subnet.

1.

access-list Inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0

2.

nat (Inside) 0 access-list Inside_nat0_outbound

Look at

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

hope this helps

regards

alex

0 Helpful

acomiskey
Level 10
Level 10

‎02-26-2007 07:02 AM

You also appear to be missing

access-list outside_cryptomap_dyn_10 extended permit ip any 192.168.1.0 255.255.255.0

crypto dynamic-map pixdyna 10 match address outside_cryptomap_dyn_10

0 Helpful

l.tating
Level 1
Level 1
In response to acomiskey

‎02-27-2007 06:33 PM

Hello,

Thank you guys, for the additional input, however, after I applied them, I still cannot get connected. I still keep on getting the same message. Thank you for your further assistance.

Lorenz

0 Helpful

Wizzle
Level 1
Level 1
In response to l.tating

‎02-28-2007 07:17 AM

Hey l.tating , I had the exact same problem with connecting to a pix. Under the aaa-server line I didn't have the correct key. So I would recommend that you check they key to verify. You can use this command also - debug crypto isakmp 7

0 Helpful

l.tating
Level 1
Level 1
In response to Wizzle

‎03-01-2007 12:00 AM

Hello Wizzle,

I am not using aaa for authentication. Im just using local database. I still cannot make it work. My debug crypto isakmp 7 has something in it that showed "cannot obtain an IP address for remote peer". Please see debug messages below:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Jun 30 15:46:22 [IKEv1]: Group = testgroup, Username = testuser, IP = 173.5.1.4,

Cannot obtain an IP address for remote peer

Jun 30 15:46:22 [IKEv1 DEBUG]: Group = testgroup, Username = testuser, IP = 173.

5.1.4, IKE TM V6 FSM error history (struct &0x27a61b8) , : TM_DO

NE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY

, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ,

EV_HASH_OK-->TM_WAIT_REQ, NullEvent

Jun 30 15:46:22 [IKEv1 DEBUG]: Group = testgroup, Username = testuser, IP = 173.

5.1.4, IKE AM Responder FSM error history (struct &0x27db608) , :

AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6

H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_M

SG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM

_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA

Jun 30 15:46:22 [IKEv1 DEBUG]: Group = testgroup, Username = testuser, IP = 173.

5.1.4, IKE SA AM:f7413097 terminating: flags 0x0945c001, refcnt 0, tuncnt 0

Jun 30 15:46:22 [IKEv1 DEBUG]: Group = testgroup, Username = testuser, IP = 173.

5.1.4, sending delete/delete with reason message

Jun 30 15:46:22 [IKEv1 DEBUG]: Group = testgroup, Username = testuser, IP = 173.

5.1.4, constructing blank hash payload

Jun 30 15:46:22 [IKEv1 DEBUG]: Group = testgroup, Username = testuser, IP = 173.

5.1.4, constructing IKE delete payload

Jun 30 15:46:22 [IKEv1 DEBUG]: Group = testgroup, Username = testuser, IP = 173.

5.1.4, constructing qm hash payload

Jun 30 15:46:22 [IKEv1]: IP = 173.5.1.4, IKE_DECODE SENDING Message (msgid=8ba4c

5b) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

Jun 30 15:46:22 [IKEv1]: Group = testgroup, Username = testuser, IP = 173.5.1.4,

Removing peer from peer table failed, no match!

Jun 30 15:46:22 [IKEv1]: Group = testgroup, Username = testuser, IP = 173.5.1.4,

Error: Unable to remove PeerTblEntry

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Lorenz

0 Helpful

at
Level 1
Level 1
In response to l.tating

‎03-19-2007 04:34 PM

hi,

please can you send me your current configuration from your pix

regards

alex

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card