Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 7.2(2) Remote Access VPN issue

Hello,

I have been trying to connect a VPN Client for remote access to a PIX515E (using version 7.2(2). I can get to the user authentication window, but after I enter the username and password, I get the status "Not Connected". I tried to run "debug crypto isakmp" but only the following screen output is appearing:

PIX(config)#

Jun 27 17:00:08 [IKEv1]: Group = testgroup, Username = testuser, IP

= 173.5.1.4, Removing peer from peer table failed, no match!

Jun 27 17:00:08 [IKEv1]: Group = testgroup, Username = testuser, IP = 173.5.1.4,

Error: Unable to remove PeerTblEntry

Can anybody help me identify the cause of the problem? Your response will be greatly appreciated.

Lorenz

6 REPLIES
at
New Member

Re: PIX 7.2(2) Remote Access VPN issue

hi

i think you should define nonat for the remote access ip-subnet.

1.

access-list Inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0

2.

nat (Inside) 0 access-list Inside_nat0_outbound

Look at

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

hope this helps

regards

alex

Green

Re: PIX 7.2(2) Remote Access VPN issue

You also appear to be missing

access-list outside_cryptomap_dyn_10 extended permit ip any 192.168.1.0 255.255.255.0

crypto dynamic-map pixdyna 10 match address outside_cryptomap_dyn_10

New Member

Re: PIX 7.2(2) Remote Access VPN issue

Hello,

Thank you guys, for the additional input, however, after I applied them, I still cannot get connected. I still keep on getting the same message. Thank you for your further assistance.

Lorenz

New Member

Re: PIX 7.2(2) Remote Access VPN issue

Hey l.tating , I had the exact same problem with connecting to a pix. Under the aaa-server line I didn't have the correct key. So I would recommend that you check they key to verify. You can use this command also - debug crypto isakmp 7

New Member

Re: PIX 7.2(2) Remote Access VPN issue

Hello Wizzle,

I am not using aaa for authentication. Im just using local database. I still cannot make it work. My debug crypto isakmp 7 has something in it that showed "cannot obtain an IP address for remote peer". Please see debug messages below:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Jun 30 15:46:22 [IKEv1]: Group = testgroup, Username = testuser, IP = 173.5.1.4,

Cannot obtain an IP address for remote peer

Jun 30 15:46:22 [IKEv1 DEBUG]: Group = testgroup, Username = testuser, IP = 173.

5.1.4, IKE TM V6 FSM error history (struct &0x27a61b8) , : TM_DO

NE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY

, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ,

EV_HASH_OK-->TM_WAIT_REQ, NullEvent

Jun 30 15:46:22 [IKEv1 DEBUG]: Group = testgroup, Username = testuser, IP = 173.

5.1.4, IKE AM Responder FSM error history (struct &0x27db608) , :

AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6

H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_M

SG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM

_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA

Jun 30 15:46:22 [IKEv1 DEBUG]: Group = testgroup, Username = testuser, IP = 173.

5.1.4, IKE SA AM:f7413097 terminating: flags 0x0945c001, refcnt 0, tuncnt 0

Jun 30 15:46:22 [IKEv1 DEBUG]: Group = testgroup, Username = testuser, IP = 173.

5.1.4, sending delete/delete with reason message

Jun 30 15:46:22 [IKEv1 DEBUG]: Group = testgroup, Username = testuser, IP = 173.

5.1.4, constructing blank hash payload

Jun 30 15:46:22 [IKEv1 DEBUG]: Group = testgroup, Username = testuser, IP = 173.

5.1.4, constructing IKE delete payload

Jun 30 15:46:22 [IKEv1 DEBUG]: Group = testgroup, Username = testuser, IP = 173.

5.1.4, constructing qm hash payload

Jun 30 15:46:22 [IKEv1]: IP = 173.5.1.4, IKE_DECODE SENDING Message (msgid=8ba4c

5b) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

Jun 30 15:46:22 [IKEv1]: Group = testgroup, Username = testuser, IP = 173.5.1.4,

Removing peer from peer table failed, no match!

Jun 30 15:46:22 [IKEv1]: Group = testgroup, Username = testuser, IP = 173.5.1.4,

Error: Unable to remove PeerTblEntry

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Lorenz

at
New Member

Re: PIX 7.2(2) Remote Access VPN issue

hi,

please can you send me your current configuration from your pix

regards

alex

349
Views
0
Helpful
6
Replies