Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

User tunnel rejected in VPN 3002 to 3005 Connection

Unanswered Question
Mar 5th, 2003
User Badges:

Yesterday everything was fine. The only thing I was messing with was setting up a LAN to LAN connection between a Pix and the 3005, and there weren't any problems with that as far as I could tell, and plus I have deleted any entries I have made which brings us too...today. Today is a different story. One of my 3002 HW Clients keeps cannot establish its tunnel because, as the 3005 says:

55663 03/05/2003 11:01:48.380 SEV=4 IKE/0 RPT=1511 x.x.x.x

Group [a1] User [ab]

User tunnel rejected: misconfigured filter parameters!

I promise (three fingers up in air) that I did not touch the filter parameters at all. If I did then wouldn't all of the other 3002 HW clients I have connected (5 total) also be giving me errors of a bad filter parameter? Should I just nuke the group and user and re enter them in? I am totally out of ideas. I have scoured the config on the concentrator, but cannot find anything wrong.

Any suggesstions would be greatly appreciated.


Zachary Cude

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mchin345 Tue, 03/11/2003 - 14:04
User Badges:
  • Silver, 250 points or more

I feel that you should confirm that under your group, general tab that there are no filters being applied to that group. If there are, select none and test. Another thing that you could do is to have a look at http://www.cisco.com/warp/public/VSAs_rev22.html. If nothing else works, I guess it would be best to junk the group and build it again.

zcude Wed, 03/12/2003 - 13:00
User Badges:

Well I always thought those filters were pretty worthless. After a call to TAC in which even they didn't know what was going on we figured out that if we turn authentication off on the groups ( Groups-> IPSEC Tab) then the tunnels will come up. That and some magic Cisco pixie dust seemed to do the trick for the most part. We also had two sites talking to each other via the concentrator and that never did come back up, so we went out and bought a pair of cheap VPN routers and hooked them up that way. Saves bandwidth going to the concentrator as well. Maybe when I'm bored I'll try to disable the filters, but after 5 down days I think I'll let everyone get settled down before I try anything else.

Thanks for the tip!



This Discussion