VPN Client fails to connect to PIX

Document

Wed, 07/22/2009 - 19:35
Jun 18th, 2009

Core issue

Transform set must be configured on the PIX.

Resolution

  1. On the PIX, issue the show crypto map command.
  2. Locate the crypto map name that is associated with the interface where you are trying to connect.
  3. Using the crypto map name, issue the show crypto dynamic-map tag {crypto map name} command.

    The output will be similar to the following.

    Crypto Map: "partner-map" interfaces: { outside }
    client configuration address initiate
    Crypto Map "partner-map" 20 ipsec-isakmp
    Dynamic map template tag: cisco
  4. Identify the dynamic map template tag (in this example, it is cisco), and then issue the show crypto dynamic-map tag cisco command.

    The output will be similar to the following.

    Crypto Map Template"cisco" 4
    No matching address list set.
    Current peer: 0.0.0.0
    Security association lifetime:
    4608000 kilobytes/28800 seconds
    PFS (Y/N): N
    Transform sets={ strong-des, }
  5. Use the transform name (strong-des) and issue a show crypto ipsec transform strong-des command.

    The output will be similar to the following.

    Transform set strong-des: { esp-3des esp-sha-hmac }
    will negotiate = { Tunnel, },

The transform must be one of the following combinations. If it is not, modify the transform to match one of the following and try again.

  • Esp-3des esp-sha-hmac

  • Esp-3des esp-md5-hmac

  • Esp-des esp-md5-hmac
Loading.

Actions

This Document

Related Content