Site-2-site Dynamic to static config problem

Answered Question
Jan 15th, 2010

I must be missing something in the config, but what I am not sure.

Trying to get a PIX 506e (6.3) to a ASA 5505 (7.2). The PIX is Dynamic IP and the ASA is Static IP. This is a second Site-2 site VPN That is from the PIX to another PIX that has a staitic IP.

I have tryed everything that I can think of. I believe it is on the ASA side, but not sure. I have reset the pre-shared-key several times. I have tryed the sysopt connection permit-vpn on the ASA. It took the command, but it didn't show up in the runn-config. Put in both ipsec-ra and ipsec-l2l tunnels as well as other things. Anyway I have attached my config's.

Almost forgot, I used this link as a guide.

Thanks for your help --- Keith

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
k.gillespie Tue, 01/19/2010 - 06:21

Hi Andrew,

I have been following that example, but for some reason the link is not working in my post. I did update my post by adding a debug output. I check my debug with Tigers on the link and only post where it was different. It seems the isakmp attributes were OK and the pre-shared-key, but after that something is wrong.

If you have any idea let me know please.


Hi Keith

Ensure your "Head End" the end with the static IP has some of the below config:-

crypto ipsec transform-set <> <> 

crypto dynamic-map <> <> set transform-set <>

crypto map <> <> ipsec-isakmp dynamic <>

crypto map <> interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600

isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400

tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
   authentication-server-group none
tunnel-group DefaultL2LGroup ipsec-attributes
   pre-shared-key *

k.gillespie Tue, 01/19/2010 - 07:38

Hi Andrew,

Yes it has the crypto map and isakmp policy 20 that matches my dynamic PIX, but I don't have 65536 policy (will add). The tunnel-group general attributes command is not an option in 7.2 version. The ipsec pre-shared I used the pre-shared-key that matches isakmp key on the dynamic PIX. Should I have used isakmp key ******** address netmask

Thanks --- Keith


Changes should be made to the ASA

The url I posted is for config rev's 7.x and later - so everything should work.

Your posted ASA config - which has the static IP address is missing

tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
   authentication-server-group none
tunnel-group DefaultL2LGroup ipsec-attributes
   pre-shared-key *

before any config changes are being made - let me be clear.

The PIX with the dynamic IP only needs basic config to create the VPN.

The ASA with the static IP needs this config, and you need to tell it to accept ANY L2L VPN requests.

I really suggest you read the URL I sent again, in the example Lion is your ASA and Tiger is your PIX.


k.gillespie Tue, 01/19/2010 - 10:45


The tunnel-group DefaultL2LGroup would not take, but would take DefaultL2Lgroup. Why I don't know. Also there is no option for tunnel_ ... general-attributes authentication-server-group. Only accounting-server-group or default-group-policy. Let me ask should the pre-shared-key in the DefaultL2Lgroup match the isakmp key on the dynamic PIX or should I add isakmp key **** address netmask that matches the PIX key?


k.gillespie Tue, 01/19/2010 - 12:11


authen-server-group none has been deprecated and replaced with isakmp ikev1-user-authentication none under ipsec-attributes.


k.gillespie Wed, 01/20/2010 - 08:12


I got a fresh start this morning. Let me start by telling you that I am useing a ASA5505 with 7.2(4) version. I tried to enter the config you have suggested and it won't take it.

On the tunnel-group DefaultL2LGroup type ipsec-l2l, it gives me error at type. If I change the name to DefaultL2Lgroup type ipsec-l2l, it will take it. Under the general-attributes, thier is no authentication-server-group option. It gives me an error to use isakmp ikev1-user-authentication none. It will take this command, but not show up in the running config. Under tunnel-group DefaultRAGroup genneral-attribrutes, it did take isakmp ikev1 command and it did show up in the runng-config. I used a default psk for this group. The l2l group matches my dynamic PIX. All this to say that I am getting a tunnel to come up,but it is connecting to the defaultRAGroup (see error message).

[IKEv1]: Group = DefaultRAGroup, IP = 71.29.x.x, R
eceived encrypted Oakley Main Mode packet with invalid payloads, MessID = 0

This tunnel doesn't stay up or am I able to ping to the other LAN. I did use the ASDM to configure the DefaultL2LGroup tunnel if that helps any.

any thoughts?

Thanks for your help --- Keith

k.gillespie Wed, 01/20/2010 - 09:17


Wow that was fast. Should I get rid of the tunnel-group configurations in the ASA then and what about the psk?


k.gillespie Wed, 01/20/2010 - 11:04


The tunnel came up after I deleted the DefaultRAGroup tunnel. The problem now is no traffic is going accross. I double check my ACL's and they are fine. Recheck your config's you send me and mine are the same. I have attached my show crypto ipsec and isakmp sa. I have study for the last hour your config's and mine to see what I mybe missing, but no luck. Sorry I kept asking you question, but its been 4 years since my firewall class and I wam the only IT person here at a small non-profit.

again tanks for your help --- Keith



from the debug - you are receving encrypted traffic and decrypting it.  However you are not encrypting it.

Explain more about the network, is there a layer 3 device behind the inside of the ASA handling the routing?

My first guess is that the inside LAN does not know how to get back to the remote end IP network.

k.gillespie Wed, 01/20/2010 - 11:27


Main site: DLS modem > PIX > L3 switch >network

remote site: DLS modem > ASA > network.

icmp and tcp (remote desktop) to server at main site. I am at remote site.

k.gillespie Thu, 01/21/2010 - 07:04


Thank you for all your help. It is now working. The 2 things that I did to get it to work were deleting the tunnel-group DefaultRAGroup and adding to ASA crypto map dyn-map 20 match address 100.

Thanks again ---- Keith

k.gillespie Tue, 01/26/2010 - 10:57


Bad news. The tunnel went down this morning. I was able to get back up by restarting the dynamic pix, but I can't get to our network behind the PIX. You can ping from the network behind the PIX fine, but not from the ASA. I did a trace route from the ASA and it is not going through the tunnel. I tried to add the crypto map dyn-map 20 match address 100 again. It takes the command, but it doesn't show up in the show run.Also when I do a sh crypto isakmp sa it show Retry:0. Could this be why it lost its tunnel?

Thanks --- Keith

k.gillespie Tue, 01/26/2010 - 11:24


Some how I lost nat-control. It back in and now working fine. I still would like to know about the show crypto isakmp Rekey SA ;0 and under IKE peer rekey; no. Is this a problem and did it cause the tunnel not to come back up?


k.gillespie Wed, 01/20/2010 - 11:19


Sorry I asnwered that wrong. No thier is no layer3 switch at this end, but thier is at the other end. We are just using the ASA for a switch. I do have another VPN tunnel to another PIX setup on that PIX, but that has worked fine for years.


This Discussion