This occurs due to the crypto map that is not applied to the correct interface or that the crypto map name is not correct.
Verify that the crypto map is applied to the correct interface and that the name of the crypto map is correct.
For example, the configuration should include a statement like in the example, where mymap is the name of the crypto map and it is enabled on the outside interface.
crypto map mymap interface outside
Your configuration should resemble this example:
!--- The sysopt command avoids the conduit !--- on the IPSec encrypted traffic. sysopt connection permit-ipsec!--- Phase 2 encryption type crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map mymap 10 ipsec-isakmp dynamic dynmap!--- Binding the IPSec engine on the outside interface crypto map mymap interface outside
Note: PIX version 6.x and 7.x allows only one crypto map name per interface. While configure multiple tunnels, make sure all crypto maps have the same name, just different number.
In this example, the PIX is configued for LAN-to-LAN and VPN client access with same crypto map name but with different sequence number:
!--- Use the crypto-map sequence 10 command for LAN-to-LAN tunnel.
crypto map newmap 10 ipsec-isakmpcrypto map newmap 10 match address 110crypto map newmap 10 set peer 172.x.x.xcrypto map newmap 10 set transform-set myset!--- Use the crypto-map sequence 20 command for PIX to VPN Client.crypto map newmap 20 ipsec-isakmp dynamic dynmapcrypto map newmap interface outside