Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX software 7.2.2.22

Hi,

We upgraded a pair of 515e's last night from 7.2.2 to 7.2.2.22.

The upgrade was fine, however when we tested both L2L and Client based VPN connections we hit issues and were finally forced to roll back to 7.2.2 due to time constraints.

Our problem with the VPN was 1st noticed with a L2L tunnel, trying to ping a device on the LAN from central site, the PIX logging produced a message that said there was no port map translation group for the returning traffic, ie echo reply. Interestingly telnet worked from central site to remote, but not ping. We also found that any connectivity created from the remote site also had the same issue, likewise for the client based VPN's. We never changed the configuration of the PIX, and a NAT 0 was setup from high to low. I dont believe there should have been any other features added to the code, just bug fixes.

We did try several other things to try and get it to work, including sysopt permit vpn, reboot, nat 0 on outside interface, etc.

Any ideas?

Thanks.

Gary.

8 REPLIES
New Member

Re: PIX software 7.2.2.22

Hi,

I had exactly the same problem with PIX-7.2.2.22. In my opinion this behaviour is a bug in nat0. I recommend you to don't use this release.

New Member

Re: PIX software 7.2.2.22

This was our thoughts, however the code has been posted for a long time.

Thanks.

Gary

New Member

Re: PIX software 7.2.2.22

Stefan, what interim release are you using?

Thanks.

gary.

New Member

Re: PIX software 7.2.2.22

7.0.6(4) - very stable!

New Member

Re: PIX software 7.2.2.22

I tried that release a few weeks ago. It was awful. I have multiple VLAN's on multiple interfaces. None of the VLAN's could talk with one another. I kept getting the "no port map translation group" error message for all traffic between interfaces. I had to roll back. Everything was good again. I'd love to know why this release is still posted. It could be there is something majorly wrong with my config, but it's worked fine since 7.0.

New Member

Re: PIX software 7.2.2.22

I think its a bug CSCsi89890, found in 7.2.2.22, fixed in 7.2.2.23 and 8.0.1.39, both not published.

Gary.

New Member

Re: PIX software 7.2.2.22

Gary -

Had a very similar problem myself when upgrading to 7.2.2.22 recently.

Upgrade was on ASA5510 rather than PIX.

Problem related to a L-2-L VPN and also RAS VPN sessions terminating on the ASA.

SA's would be established and all look ok but not traffic would pass.

Following error showed up in logs;

Sep 04 2007 17:01:13: %ASA-3-305005: No translation group found for udp src outside:x.x.x.x/1029 dst inside:y.y.y.y/161

(I have blanked out our IP's)

My solution/workaround was to configure policy static nat for the "inside" networks.

static (inside, outside) x.x.x.x access-list policy

access-list policy permit ip x.x.x.x y.y.y.y

where: x.x.x.x = internal subnet

y.y.y.y = remote subnet/ras vpn address pool

The problem is as if the nat exemption for the VPN tunnels is being ignored. (???weird)

hope that helps,

James

New Member

Re: PIX software 7.2.2.22

James,

Its the bug I mentioned earlier, I would avoid that software.

Thanks.

Gary

137
Views
0
Helpful
8
Replies