Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

The VPN Client user cannot connect to the PIX, after a new tunnel is added

Core issue

This occurs due to the crypto map that is not applied to the correct interface or that the crypto map name is not correct.


Verify that the crypto map is applied to the correct interface and that the name of the crypto map is correct.

For example, the configuration should include a statement like in the example, where mymap is the name of the crypto map and it is enabled on the outside interface.

crypto map mymap interface outside

Your configuration should resemble this example:

!--- The sysopt command avoids the conduit 
!--- on the IPSec encrypted traffic.

sysopt connection permit-ipsec

!--- Phase 2 encryption type

crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap

!--- Binding the IPSec engine on the outside interface

crypto map mymap interface outside

Note: PIX version 6.x and 7.x allows only one crypto map name per interface. While configure multiple tunnels, make sure all crypto maps have the same name, just different number.

In this example, the PIX is configued for LAN-to-LAN and VPN client access with same crypto map name but with different sequence number:

!--- Use the crypto-map sequence 10 command for LAN-to-LAN tunnel.

crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 110
crypto map newmap 10 set peer 172.x.x.x
crypto map newmap 10 set transform-set myset

!--- Use the crypto-map sequence 20 command for PIX to VPN Client.

crypto map newmap 20 ipsec-isakmp dynamic dynmap
crypto map newmap interface outside