cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
806
Views
0
Helpful
6
Replies

PIX 7.2(2) Remote Access VPN issue

l.tating
Level 1
Level 1

Hello,

I have been trying to connect a VPN Client for remote access to a PIX515E (using version 7.2(2). I can get to the user authentication window, but after I enter the username and password, I get the status "Not Connected". I tried to run "debug crypto isakmp" but only the following screen output is appearing:

PIX(config)#

Jun 27 17:00:08 [IKEv1]: Group = testgroup, Username = testuser, IP

= 173.5.1.4, Removing peer from peer table failed, no match!

Jun 27 17:00:08 [IKEv1]: Group = testgroup, Username = testuser, IP = 173.5.1.4,

Error: Unable to remove PeerTblEntry

Can anybody help me identify the cause of the problem? Your response will be greatly appreciated.

Lorenz

6 Replies 6

at
Level 1
Level 1

hi

i think you should define nonat for the remote access ip-subnet.

1.

access-list Inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0

2.

nat (Inside) 0 access-list Inside_nat0_outbound

Look at

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

hope this helps

regards

alex

acomiskey
Level 10
Level 10

You also appear to be missing

access-list outside_cryptomap_dyn_10 extended permit ip any 192.168.1.0 255.255.255.0

crypto dynamic-map pixdyna 10 match address outside_cryptomap_dyn_10

Hello,

Thank you guys, for the additional input, however, after I applied them, I still cannot get connected. I still keep on getting the same message. Thank you for your further assistance.

Lorenz

Hey l.tating , I had the exact same problem with connecting to a pix. Under the aaa-server line I didn't have the correct key. So I would recommend that you check they key to verify. You can use this command also - debug crypto isakmp 7

Hello Wizzle,

I am not using aaa for authentication. Im just using local database. I still cannot make it work. My debug crypto isakmp 7 has something in it that showed "cannot obtain an IP address for remote peer". Please see debug messages below:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Jun 30 15:46:22 [IKEv1]: Group = testgroup, Username = testuser, IP = 173.5.1.4,

Cannot obtain an IP address for remote peer

Jun 30 15:46:22 [IKEv1 DEBUG]: Group = testgroup, Username = testuser, IP = 173.

5.1.4, IKE TM V6 FSM error history (struct &0x27a61b8) , : TM_DO

NE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY

, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ,

EV_HASH_OK-->TM_WAIT_REQ, NullEvent

Jun 30 15:46:22 [IKEv1 DEBUG]: Group = testgroup, Username = testuser, IP = 173.

5.1.4, IKE AM Responder FSM error history (struct &0x27db608) , :

AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6

H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_M

SG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM

_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA

Jun 30 15:46:22 [IKEv1 DEBUG]: Group = testgroup, Username = testuser, IP = 173.

5.1.4, IKE SA AM:f7413097 terminating: flags 0x0945c001, refcnt 0, tuncnt 0

Jun 30 15:46:22 [IKEv1 DEBUG]: Group = testgroup, Username = testuser, IP = 173.

5.1.4, sending delete/delete with reason message

Jun 30 15:46:22 [IKEv1 DEBUG]: Group = testgroup, Username = testuser, IP = 173.

5.1.4, constructing blank hash payload

Jun 30 15:46:22 [IKEv1 DEBUG]: Group = testgroup, Username = testuser, IP = 173.

5.1.4, constructing IKE delete payload

Jun 30 15:46:22 [IKEv1 DEBUG]: Group = testgroup, Username = testuser, IP = 173.

5.1.4, constructing qm hash payload

Jun 30 15:46:22 [IKEv1]: IP = 173.5.1.4, IKE_DECODE SENDING Message (msgid=8ba4c

5b) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

Jun 30 15:46:22 [IKEv1]: Group = testgroup, Username = testuser, IP = 173.5.1.4,

Removing peer from peer table failed, no match!

Jun 30 15:46:22 [IKEv1]: Group = testgroup, Username = testuser, IP = 173.5.1.4,

Error: Unable to remove PeerTblEntry

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Lorenz

hi,

please can you send me your current configuration from your pix

regards

alex

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: