Remote VPN on PIX 515 and Cisco VPN Client ver 4.x and higher.

Answered Question
Sep 20th, 2010

Hello,

I have PIX 515 setup as Cisco VPN server for Cisco clients. When users connect using Cisco client ver 3.5, they are able to get to the login prompt. But users trying to connect using Cisco client higher than version 3.5 (like ver 4.6) it just times out.

When I look at the debug logs I see PIX trying to send phase 1 packets back, but the client does not see a response.

I am using esp-3des esp-md5-hmac with pre-share.

Does anyone know why I cannot use client version above 3.5??

Thank you.

I have this problem too.
0 votes
Correct Answer by mvsheik123 about 6 years 2 months ago

Hi,

Please check the below link (release notes for 6.2 (2)) - Section:  Cisco VPN Client Interoperability

http://www.cisco.com/en/US/docs/security/pix/pix62/release/notes/pixrn622.html#wp88393

If you are using windows client it only support 3.x.  You may need IOS upgrade or Linux, Solaris, and Macintosh platforms client to use with 3.5 or higher.

If your client is compatible from the above, then you may need to run 'debug' on PIX to see whats going on when the client requests connection.

hth

MS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mvsheik123 Mon, 09/20/2010 - 11:21

Hi,

Have you tried with multiple clients PC/laptop with 4.x installed? Also, please  check to see if the response from PIX reaching out to client at all (vpn client gives basic info, but using wireshark or anyother pkt capture may give more info).

Thanks

MS

shivani.sharma Mon, 09/20/2010 - 11:39

I have tried using multiple laptops with Client versions higher than 3.5. Since I get response when I try to connect using Cisco Client ver 3.5, I assume I have IP connectivity and nothing is blocking the IPSec packets. But I will do a packet capture on the client and find out exactly if the return packets reach the client when I use verions above 3.5.

mvsheik123 Mon, 09/20/2010 - 11:57

ok..I know you confirmed this already.. exact version for IOS is : Cisco PIX Firewall, Version 6.2.2(122) or Version 6.3(1).

Thanks

MS

shivani.sharma Mon, 09/20/2010 - 19:30

I also did packet capture using both client versions. I see return packets from VPN server when using client 3.5. But when I use ver 4.x or 5.x there is no response back from the PIX. Do you know what could be causing this?

Thank you.

Correct Answer
mvsheik123 Tue, 09/21/2010 - 06:22

Hi,

Please check the below link (release notes for 6.2 (2)) - Section:  Cisco VPN Client Interoperability

http://www.cisco.com/en/US/docs/security/pix/pix62/release/notes/pixrn622.html#wp88393

If you are using windows client it only support 3.x.  You may need IOS upgrade or Linux, Solaris, and Macintosh platforms client to use with 3.5 or higher.

If your client is compatible from the above, then you may need to run 'debug' on PIX to see whats going on when the client requests connection.

hth

MS

shivani.sharma Tue, 09/21/2010 - 06:51

Thank you MS! That is exactly the reason I cannot use client versions above 3.5 on Windows. I was beating around the bushes to find out the issue. Thanks a lot!!

Actions

This Discussion