Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Possible bug in CSPM 30

I would like to point and clarify one possible bug in Cisco Secure Policy Manager 3.0. Currently, I am evaluating this product for one customer that requires manageable remote access VPN connection with PIX firewall.

Here is scenario: Customer has PIX firewall version 6.1 and want to have visual managament of remote VPN IPSec tunnels. VPN client is Cisco VPN Unity Client version 3.5.1. In CSPM 3.0 I was able to create IPSec Tunnel templates, and in the Network topology I modeled Cloud network that corresponds to the address range already defined for VPN clients on PIX firewall and attach this cloud network directly to Internet. In the rule for IPSec traffic, I am using this modeled cloud network as a source, inside network as destination and all IP traffic as a service. When I tried to connect to PIX with VPN client, IKE Phase 1 is successful, devices are authenticated, user is authenticated, but in IKE Phase 2, in debug log of the PIX, I receive:

"proxy identities not supported",

which means that access-list for IPSec traffic does not match. But, in this case, it is not site-to-site VPN...

During troubleshooting, I have noticed that CSPM incorrectly generates the following command:

crypto dynamic-map CSM-crypto-map-outside-dyn 5 match address CSM-crypto-acl-outside-0

This command is OK when site-to-site IPSec tunnels are in place, but for remote access, this line is not needed. Workaround is to clear this line in epilogue section, but this is not the solution. Could you please confirm this behavior as a bug of CSPM 3.0?

Another thing: It seems that CSPM 3.0 is not fully compatible with VPN Unity client (I mean using vpngroup command in PIX). Because of that, I can not configure split tunneling when using VPN Unity client with PIPX firewall. Is that right?

Sasa Vidanovic


Re: Possible bug in CSPM 30

Often times complex troubleshooting issues are best addressed in an interactive session with one of our trained technical assistance engineers. While other forum users may be able to help, it’s often difficult to do so for this type of issue.

To utilize the resources at our Technical Assistance Center, please visit and to open a case with one of our TAC engineers, visit

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

CreatePlease login to create content