Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
307
Views
0
Helpful
3
Replies

issue with VPN pix to pix ( Remote access )

fargier
Level 1
Level 1

‎03-16-2007 01:52 AM - edited ‎03-11-2019 02:47 AM

Hello all,

I have trouble with a vpn site to site.

Architecture is :

Internal ---- PixV_7.2(1) ---- internet ----- Pix_V6.3(2) ---- Remote site (london)

Connection is ok: Crypto isakmp sa

I use sysopt connexion permit-vpn and permit-ipsec, and all the subnet match the cryptomap access-list, nat 0 is ok on both (i hope..)

I can do ping, telnet on my network device on the remote site.

The issue is when I use terminal service or vnc. The connexion seem to be ok because, when i do " sho connex " on both pix, i see the connexion of the vnc or terminal service on port 3389 or 5900.

On the computer where i send the TS or VNC i can see the windows, but it black. The pointer of the mouse move but all is black.

when i use other connexion with ISDN, it's ok. But the line using vpn site to site on the internet seem have a problem.

When i do sho crypto ipsec sa, i can't see the connexion between my pc where i send the vnc or TS and the remote computer.

Do you have any suggestion? I can't give you the running configuration. I know it will be difficult to find a problem without config.

There is some trouble between both image? 7.2 and 6.3?

One thing more, i have exactly the same configuration with the pix on the internal and a remote pix on other country (luxembourg) and it's ok!!!

Labels:
0 Helpful
3 Replies 3

b.hsu
Level 5
Level 5

‎03-22-2007 06:39 AM

First make sure the IPXec tunnel is UP and use the debug commands. The chance might be the user authentication problem or the group authentication.

0 Helpful

acomiskey
Level 10
Level 10

‎03-22-2007 06:48 AM

Lower the settings in VNC and give it a try.

0 Helpful

t.boyle
Level 1
Level 1

‎03-22-2007 12:36 PM

It sounds like you may have an MTU problem. IPSEC overhead means that you don't have the full 1500 byte MTU any more. If the ICMP replies required by PMTU (RFC 1191) aren't getting back to the two end stations then you'll get an initial connection but as soon as you start sending any amount of data the link freezes up. You can try changing the MTU on one end-station to around 1400 and see if you start to work. A better solution may be to allow the ICMP unreachable packets through to the end stations.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card