I am running a Pix 501 (version 6.3(1)) and using the VPN Client (versions 3.6.4(a) and 4.0.1(Rel)) for VPN access. The clients are able to connect to the Pix, go through authentication, the client claims that the secure tunnel has been established and then 5 seconds later the tunnel is disconnected. Always 5 seconds later. The client claims that it has lost contact with the security gateway (check your network connection). Both the outside port of the Pix and the PC running the client are on the same network so there should be no routing/DSL/modem issues. This has also been tried over a DSL connection with exactly the same result.
The Pix was initially configured using the VPN wizard in the PDM. Since then the configuration has been modified to match these two documents:
The main difference between these documents (and the wizard configuration) seems to be the selections for the ipsec transform set. All of these configurations produce the same result at both clients even when using the wizard configuration (the wizard's configuration fails to negotiate a transform during the ISAKMP phase). The Pix configuration is included with some addresses and identification changed or removed. Debug output from the Pix and logs from both versions of the VPN client available upon request.
I have seen problems similar to this posted several times but never a solution. Any suggestions or advice are appreciated. Thank you for reading.
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxx
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
Thanks for the suggestion. I won't be at the client site until Monday but will try it then.
I had seen the crypto map . . . address initiate command in examples that use old VPN clients (version 1.x) and not in ones that use newer versions (3.x or 4.x) so left it out.
From the client logs it appeared that the clients were receiving an address from the PIX during the ISAKMP phase but during the IPSEC negotiation there is a line that reads "Adapter address changed from . Current address: 127.0.0.1" which never really sounded logical to me. The clients then immediately begin deleting SAs so hopefully this is it.
I have tried both a 3.x and 4.x version of the client on two separate PCs with the same results which makes think it is a Pix issue rather than a client issue.
One last (probably dumb) question in case this doesn't fix it. How do you get software updates from Cisco?
I have tried rebooting and this morning I have tried resetting the ipsec config as you suggested (and rebooting). There were no apparent changes. The tunnel is still disconnecting after approximately 5 seconds.
I also tried the client configuration address intiate/reply as suggested earlier. Also no change.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :