Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
274
Views
0
Helpful
1
Replies

Problem with VPN pix 501 <-> pix 515

harald.pedersen
Level 1
Level 1

‎02-10-2006 01:37 AM - edited ‎02-21-2020 02:15 PM

We have a vpn tunnel between a pix 501 ver 6.3 and a pix 515 ver 6.3 that works well.

I am now trying to move the tunnel from the pix 515 to an other pix 515 ver 7.0, but with no luck.

I get the following msgs in the log :

713993: ip=x.x.x.x, header invalid, missing SA payload! (next payload = 4)

713993: Group = x.x.x.x, IP = x.x.x.x, Can't find a valid tunnel group, aborting

713902: Group = x.x.x.x, IP = x.x.x.x, Removing peer from peer table failed, no match!

713903: Group = x.x.x.x, IP = x.x.x.x, Error: Unable to remove PeerTblEntry

Any idea on what I did wrong?

Harald

Labels:
0 Helpful
1 Reply 1

scheikhnajib
Level 1
Level 1

‎02-10-2006 04:02 AM

Hi Harald,

On PIX OS 7.0 Cisco has introduced the Tunnel-Group concept, you won't use an "isakmp" command to configure your peer and pre-shared key, but you will use the following command:

(config)#tunnel-group x.x.x.x type ipsec-l2l (x.x.x.x is ur peer address and l2l refers to LAN-to-LAN)

(config)#tunnel-group x.x.x.x ipsec-attributes

(config-ipsec)#pre-shared-key xxxxxxxx

The rest of the commands (i.e. ISAKMP, Crypto map, Crypto Transform Sets and Crypto ACLs remain the same).

Hope this helps.

Salem.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents