Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

issue with VPN pix to pix ( Remote access )

Hello all,

I have trouble with a vpn site to site.

Architecture is :

Internal ---- PixV_7.2(1) ---- internet ----- Pix_V6.3(2) ---- Remote site (london)

Connection is ok: Crypto isakmp sa

I use sysopt connexion permit-vpn and permit-ipsec, and all the subnet match the cryptomap access-list, nat 0 is ok on both (i hope..)

I can do ping, telnet on my network device on the remote site.

The issue is when I use terminal service or vnc. The connexion seem to be ok because, when i do " sho connex " on both pix, i see the connexion of the vnc or terminal service on port 3389 or 5900.

On the computer where i send the TS or VNC i can see the windows, but it black. The pointer of the mouse move but all is black.

when i use other connexion with ISDN, it's ok. But the line using vpn site to site on the internet seem have a problem.

When i do sho crypto ipsec sa, i can't see the connexion between my pc where i send the vnc or TS and the remote computer.

Do you have any suggestion? I can't give you the running configuration. I know it will be difficult to find a problem without config.

There is some trouble between both image? 7.2 and 6.3?

One thing more, i have exactly the same configuration with the pix on the internal and a remote pix on other country (luxembourg) and it's ok!!!


Re: issue with VPN pix to pix ( Remote access )

First make sure the IPXec tunnel is UP and use the debug commands. The chance might be the user authentication problem or the group authentication.


Re: issue with VPN pix to pix ( Remote access )

Lower the settings in VNC and give it a try.

Community Member

Re: issue with VPN pix to pix ( Remote access )

It sounds like you may have an MTU problem. IPSEC overhead means that you don't have the full 1500 byte MTU any more. If the ICMP replies required by PMTU (RFC 1191) aren't getting back to the two end stations then you'll get an initial connection but as soon as you start sending any amount of data the link freezes up. You can try changing the MTU on one end-station to around 1400 and see if you start to work. A better solution may be to allow the ICMP unreachable packets through to the end stations.

CreatePlease to create content