Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

The LAN-to-LAN tunnels do not work after an upgrade to PIX Firewall version 7.0

Core issue

In PIX Firewall version 6.3, there is no option for tunnel groups. In PIX version 7.x, while the VPN tunnel is configured using the Adaptive Security Device Manager (ASDM), PIX automatically creates a tunnel group, just as in VPN concentrators.

The PIX automatically creates a tunnel group for all LAN-to-LAN tunnels during the code upgrade. However, the PIX sometimes fails to create tunnel groups for all tunnels. This can happen if there is a misconfiguration or there are incomplete crypto maps.

In PIX version 7.x, the tunnel does not come up if tunnel group information is missing in the configuration.


This issue is documented in the Cisco bug ID CSCeh60361.

In order to resolve this issue, create a tunnel group for the specific tunnel.

Add these commands after the upgrade to the PIX 7.x:

tunnel-group group1 type ipsec-ra
tunnel-group group1 general-attributes
address-pool pool1
tunnel-group group1 ipsec-attributes
pre-shared-key mypassword

For more information, refer to PIX/ASA 7.x Simple PIX-to-PIX VPN Tunnel using ASDM Configuration Example.

For the Command Line Interface (CLI) mode, refer to Configuring LAN-to-LAN VPNs.

For additional resources, refer to Guide for PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0.

Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 04:11 PM
Updated by:
Labels (1)