PIX software 7.2.2.22

Unanswered Question
Jul 24th, 2007
User Badges:

Hi,


We upgraded a pair of 515e's last night from 7.2.2 to 7.2.2.22.

The upgrade was fine, however when we tested both L2L and Client based VPN connections we hit issues and were finally forced to roll back to 7.2.2 due to time constraints.

Our problem with the VPN was 1st noticed with a L2L tunnel, trying to ping a device on the LAN from central site, the PIX logging produced a message that said there was no port map translation group for the returning traffic, ie echo reply. Interestingly telnet worked from central site to remote, but not ping. We also found that any connectivity created from the remote site also had the same issue, likewise for the client based VPN's. We never changed the configuration of the PIX, and a NAT 0 was setup from high to low. I dont believe there should have been any other features added to the code, just bug fixes.

We did try several other things to try and get it to work, including sysopt permit vpn, reboot, nat 0 on outside interface, etc.

Any ideas?

Thanks.

Gary.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
stefan.zarev Tue, 07/24/2007 - 07:11
User Badges:

Hi,


I had exactly the same problem with PIX-7.2.2.22. In my opinion this behaviour is a bug in nat0. I recommend you to don't use this release.

g-hopkinson Tue, 07/24/2007 - 07:22
User Badges:

This was our thoughts, however the code has been posted for a long time.

Thanks.

Gary

g-hopkinson Tue, 07/24/2007 - 07:36
User Badges:

Stefan, what interim release are you using?

Thanks.

gary.

markbialik Tue, 07/24/2007 - 08:29
User Badges:

I tried that release a few weeks ago. It was awful. I have multiple VLAN's on multiple interfaces. None of the VLAN's could talk with one another. I kept getting the "no port map translation group" error message for all traffic between interfaces. I had to roll back. Everything was good again. I'd love to know why this release is still posted. It could be there is something majorly wrong with my config, but it's worked fine since 7.0.

g-hopkinson Tue, 07/24/2007 - 08:54
User Badges:

I think its a bug CSCsi89890, found in 7.2.2.22, fixed in 7.2.2.23 and 8.0.1.39, both not published.

Gary.

j4m3swatson Fri, 09/21/2007 - 03:02
User Badges:

Gary -


Had a very similar problem myself when upgrading to 7.2.2.22 recently.

Upgrade was on ASA5510 rather than PIX.


Problem related to a L-2-L VPN and also RAS VPN sessions terminating on the ASA.

SA's would be established and all look ok but not traffic would pass.

Following error showed up in logs;

Sep 04 2007 17:01:13: %ASA-3-305005: No translation group found for udp src outside:x.x.x.x/1029 dst inside:y.y.y.y/161


(I have blanked out our IP's)


My solution/workaround was to configure policy static nat for the "inside" networks.


static (inside, outside) x.x.x.x access-list policy


access-list policy permit ip x.x.x.x y.y.y.y


where: x.x.x.x = internal subnet

y.y.y.y = remote subnet/ras vpn address pool


The problem is as if the nat exemption for the VPN tunnels is being ignored. (???weird)


hope that helps,

James


g-hopkinson Tue, 09/25/2007 - 00:28
User Badges:

James,


Its the bug I mentioned earlier, I would avoid that software.


Thanks.

Gary

Actions

This Discussion