Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1107
Views
0
Helpful
0
Comments

The VPN client fails to connect to the PIX firewall and the IPSEC(validate_transform_proposal): proxy identities not supported" error message appears in the debugs

TCC_2
Level 10
Level 10

on ‎06-22-2009 04:05 PM

Core issue

The VPN client fails to connect to the PIX firewall and VPN Tunnel is unable to complete the Phase 2 negotiations.

The debug crypto ipsec command shows this error message:

IPSEC(validate_transform_proposal): proxy identities not supported

This issue usually occurs if crypto maps are configured with the PIX Device Manager (PDM), because the PDM generates and adds this entry into the crypto map independently:

crypto dynamic-map  20 match address

Resolution

In order to resolve this issue:

Use the command line in order to remove this entry from the crypto map. Use the no form in front of this entry in order to remove it. For example:

PIX(config)#no crypto dynamic-map  20 match address

Note: It is necessary to remove the crypto map from the outside interface before any changes are made.

Attempts to connect to the VPN client now work.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents