I upgraded from PIX 6.2.2 to 6.3.1. I have a 3030 VPN Concentrator in parallel with my PIX. There are IP phones behind 3002 Hardware Clients doing Network Extension Mode connected to the 3030. The default tunnel gateway for the 3030 is the inside interface of the PIX. The clients (phones) cannot talk to each other now with PIX at 6.3.1, they could talk with PIX at 6.2.2. Sniffer shows 3030 sending packets to the inside interface of the PIX. PIX then spoofs the source address and issues a RST on the connection. My guess is that at 6.2.2, PIX was reflecting the packets back to the 3030, connecting the phones successfully. Has anyone else had any similar experiences?
PIX will never reflect the packet back to the same interface. It has never been the case with any of the IOS code. If PIX is sending RST on the inside, this need to be checked, I am still not getting to your network design. If the voice packets were to flow across PIX then, it could be that H323 fixup is broken. Any syslog messages on the PIX? Would you clarify your network design?
PIX apparently was doing a packet redirect out the inside interface when the src was the inside interface in 6.2.2 code. 6.3.1 code has stopped this behavior and instead is issuing a RST on behalf of the dst now.
My network design is the PIX and 3030 are in parallel. Behind both devices is an MSFC.
A Cisco SE in Houston gave me a workaround. I turned off IP REDIRECTS on my MSFC interface that points toware the PIX and 3030. Then I pointed all of my 3030 traffic to the MSFC. The MSFC is doing a packet redirect out the same interface, unlike the PIX 6.3.1 code. That fixed my problem.
The bigger problem is why a packet redirect needs to be done. Sniffer traces show that client to client communication on the 3030 does not route internally. The packet actually has to leave the 3030, bounce off of a router (or PIX), and route back to the 3030 for communication to successfully occur.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :