Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN 3000


We have a Vpn 3000 that we are trying to conenct to a set of sonicwalls. the sonicwalls are T170 and one is on a Public address and another is on a NAT'd address. the tunnels come up and data is transferred, but when the devices need to renegotiate they can not get beyond phase 1 and the sonicwalls have to be restarted to bring the tunnel up. if the time frame is set for 8 hrs exactly 6 hours into the connection the tunnel will drop and will not come up on it's own until the additional 2 hrs to make up the 8 hrs has passed. any help with this matter would be greatly appreciated.


Re: VPN 3000

A gateway-to-gateway IPsec tunnel from the remote PIX to the hub PIX. This tunnel encrypts the traffic from network behind the remote PIX to network behind the hub PIX. The PC on the Internet can form an IPsec tunnel through the hub PIX to network .

In order to use the Xauth feature, you must first set up your basic authentication, authorization, and accounting (AAA) server. Use the crypto map client authentication command to tell the PIX Firewall to use the Xauth (RADIUS/TACACS+ user name and password) challenge during Phase 1 of Internet Key Exchange (IKE) in order to authenticate IKE. If the Xauth fails, the IKE security association is not established. Specify the same AAA server name within the crypto map client authentication command statement that is specified in the aaa-server command statement. The remote user must run Cisco VPN Client version 3.x. or later.

Note: Cisco recommends you use Cisco VPN Client 3.5.x or later. VPN Client 1.1 does not work with this configuration and is out of the scope of this document.

Note: Cisco VPN Client 3.6 and later does not support the transform set of des/sha.

If you need to restore the configuration without Xauth, use the no crypto map client authentication command. The Xauth feature is not enabled by default.