Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Problem with VPN pix 501 <-> pix 515

We have a vpn tunnel between a pix 501 ver 6.3 and a pix 515 ver 6.3 that works well.

I am now trying to move the tunnel from the pix 515 to an other pix 515 ver 7.0, but with no luck.

I get the following msgs in the log :

713993: ip=x.x.x.x, header invalid, missing SA payload! (next payload = 4)

713993: Group = x.x.x.x, IP = x.x.x.x, Can't find a valid tunnel group, aborting

713902: Group = x.x.x.x, IP = x.x.x.x, Removing peer from peer table failed, no match!

713903: Group = x.x.x.x, IP = x.x.x.x, Error: Unable to remove PeerTblEntry

Any idea on what I did wrong?


New Member

Re: Problem with VPN pix 501 <-> pix 515

Hi Harald,

On PIX OS 7.0 Cisco has introduced the Tunnel-Group concept, you won't use an "isakmp" command to configure your peer and pre-shared key, but you will use the following command:

(config)#tunnel-group x.x.x.x type ipsec-l2l (x.x.x.x is ur peer address and l2l refers to LAN-to-LAN)

(config)#tunnel-group x.x.x.x ipsec-attributes

(config-ipsec)#pre-shared-key xxxxxxxx

The rest of the commands (i.e. ISAKMP, Crypto map, Crypto Transform Sets and Crypto ACLs remain the same).

Hope this helps.