cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
642
Views
0
Helpful
8
Replies

PIX software 7.2.2.22

g-hopkinson
Level 1
Level 1

Hi,

We upgraded a pair of 515e's last night from 7.2.2 to 7.2.2.22.

The upgrade was fine, however when we tested both L2L and Client based VPN connections we hit issues and were finally forced to roll back to 7.2.2 due to time constraints.

Our problem with the VPN was 1st noticed with a L2L tunnel, trying to ping a device on the LAN from central site, the PIX logging produced a message that said there was no port map translation group for the returning traffic, ie echo reply. Interestingly telnet worked from central site to remote, but not ping. We also found that any connectivity created from the remote site also had the same issue, likewise for the client based VPN's. We never changed the configuration of the PIX, and a NAT 0 was setup from high to low. I dont believe there should have been any other features added to the code, just bug fixes.

We did try several other things to try and get it to work, including sysopt permit vpn, reboot, nat 0 on outside interface, etc.

Any ideas?

Thanks.

Gary.

8 Replies 8

stefan.zarev
Level 1
Level 1

Hi,

I had exactly the same problem with PIX-7.2.2.22. In my opinion this behaviour is a bug in nat0. I recommend you to don't use this release.

This was our thoughts, however the code has been posted for a long time.

Thanks.

Gary

Stefan, what interim release are you using?

Thanks.

gary.

7.0.6(4) - very stable!

markbialik
Level 1
Level 1

I tried that release a few weeks ago. It was awful. I have multiple VLAN's on multiple interfaces. None of the VLAN's could talk with one another. I kept getting the "no port map translation group" error message for all traffic between interfaces. I had to roll back. Everything was good again. I'd love to know why this release is still posted. It could be there is something majorly wrong with my config, but it's worked fine since 7.0.

I think its a bug CSCsi89890, found in 7.2.2.22, fixed in 7.2.2.23 and 8.0.1.39, both not published.

Gary.

j4m3swatson
Level 1
Level 1

Gary -

Had a very similar problem myself when upgrading to 7.2.2.22 recently.

Upgrade was on ASA5510 rather than PIX.

Problem related to a L-2-L VPN and also RAS VPN sessions terminating on the ASA.

SA's would be established and all look ok but not traffic would pass.

Following error showed up in logs;

Sep 04 2007 17:01:13: %ASA-3-305005: No translation group found for udp src outside:x.x.x.x/1029 dst inside:y.y.y.y/161

(I have blanked out our IP's)

My solution/workaround was to configure policy static nat for the "inside" networks.

static (inside, outside) x.x.x.x access-list policy

access-list policy permit ip x.x.x.x y.y.y.y

where: x.x.x.x = internal subnet

y.y.y.y = remote subnet/ras vpn address pool

The problem is as if the nat exemption for the VPN tunnels is being ignored. (???weird)

hope that helps,

James

James,

Its the bug I mentioned earlier, I would avoid that software.

Thanks.

Gary

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: