Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
396
Views
0
Helpful
4
Replies

RA VPN PIX 6.2

Kelvin Willacey
Level 4
Level 4

‎10-27-2010 11:22 AM

I am having trouble with remote access VPN on a PIX running 6.2, it's not getting pass phase 1 and the debug is saying that the attributes don't match. I am not sure if it is a VPN client issue or if it's a configuration issue, because the configuration is really simple.

Please see attached, any help would be greatly appreciated, thanks.

Labels:
74237-putty.log.zip
0 Helpful
4 Replies 4

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎10-27-2010 02:30 PM

Hi,

I don't see from the configuration why phase 1 won't match.

Is there any firewall or device that might be blocking UDP 500 either in front of the PIX or on the client side?

What's the output of the ''sh cry isa sa det''

Federico.

0 Helpful

Kelvin Willacey
Level 4
Level 4
In response to Federico Coto Fajardo

‎10-27-2010 02:45 PM

Well the firewall I am trying to connect to is directly connected to the Internet and I can connect to other remote access VPNs from my machine all of which I have configured, although those configurations were all done on ASAs but this PIX is giving me a headache. Here is the output below:

pixfirewall# sh crypto isakmp sa detail
isakmp enable outside
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400

I just can't figure out why it would be failing on phase 1. Could the PIX have an issue with the version of my client? I am running 5.0.07.0290

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Kelvin Willacey

‎10-27-2010 03:17 PM

The public IP where your client is coming from is 72.252.201.21?

Could be compatibility issues (the PIX OS is very old)

Check the ''show version'' because it seems that it will only work on PIX OS 6.2.2(122) or above.

Check this:

http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client5007/release/notes/vpnclient5007.html

Federico.

0 Helpful

Kelvin Willacey
Level 4
Level 4
In response to Federico Coto Fajardo

‎10-27-2010 05:20 PM

Interesting that could be the issue since the PIX is only running 6.2.2

However the download site only has 4.8 as the oldest vpn client and I would love to be able to test it before telling them to upgrade. Does anyone know where I can get an older version of the vpn client?

0 Helpful
Customers Also Viewed These Support Documents