Cisco PIX/VPN problem

gmc8757

Member
Feb 9, 2005
170
0
0
I have a cisco pix 515 that accepts about 10 vpn tunnels. on the other end are 3com office connect vpn routers. 9 out of the 10 don't have a problem and stay connected. the 10th one will not connect at all. I've tried different office connects so i know that's not the problem. Which tells me the problem is at the PIX. I just don't really know what to look for. I've found where a working VPN site IP exists in the pix config and then looked for the vpn site i can't get up and they look the same except their parts of different crypto map numbers. Does anyone have any idea where i can look at next?
 

sieistganzfett

Senior member
Mar 2, 2005
588
0
0
uh, is i assume 10 vpn is fine for that model, i can only think of the cisco IOS, is it the latest from cisco? another thing i could think of is just redoing the config for the one that isnt working, did you config it or did someone else? also, if your need an answer quick, im sure the cisco tech support will help well. good luck.
 

gmc8757

Member
Feb 9, 2005
170
0
0
Hey, thanks for the help. I didn't config it, someone else did. We don't have a contract with cisco tech support so they won't help. sorry i was wrong! we are using PIX os 6.3(3).

I hope to get this up and running soon. Thanks.
 

spyordie007

Diamond Member
May 28, 2001
6,229
0
0
You might want to try pulling up the PDM (web-based GUI for the PIX) and running through the VPN wizard, if you're using shared keys you'll have to do the same on the other side.

The other option would be to hire a consultant to help out, there are lots of firms that specialize in Cisco-based solutions that should be able to help out with the PIX config.

Erik
 

gmc8757

Member
Feb 9, 2005
170
0
0
It sucks because there really isn't much to configuring a new vpn site right? a few commands and your good to go pretty much?
 

spyordie007

Diamond Member
May 28, 2001
6,229
0
0
It sucks because there really isn't much to configuring a new vpn site right? a few commands and your good to go pretty much?
Generally, yes. But when you're connecting with another vendor's hardware on the other end and you don't know how to troubleshoot problems that crop up...
pretty sure we do have the latest IOS
I'm pretty sure you don't, PIXes don't run IOS they run PIX OS.

Even if you were running the latest it doesn't always mean newest (or most stable). A quick check on Cisco.com shows that the newest (7.0.6.ED) was released 22-AUG-2006, however the latest (7.2.1.ED) was released 31-MAY-2006. So what version are you running?
 

gmc8757

Member
Feb 9, 2005
170
0
0
You're right, we're using version 6.3(3)

The other vpn tunnels are using the same 3com office connects. I just tried one out of a working vpn site and it didn't work at this site.

Could it be something with the cable modem? It's a uBR900, do you think they could be blocking something, Time Warner has control of this box.

I can however, establish a vpn client connection with my laptop if i plug right into it, and connect to the same PIX. I just can't get the office connect to establish the tunnel, it doesn't get past "Negotiating Phase One".

Thanks a lot.
 

spyordie007

Diamond Member
May 28, 2001
6,229
0
0
What happens if you try with your laptop from behind that cable connection? I wouldnt think that a cable modem would be enough to break the tunnel, but than again I have no way of knowing what they are doing on it...

Are you using shared keys? A key mismatch would cause a failure on phase one, might be worth rebuilding the site-to-site tunnel (as I mentioned earlier).

BTW 6.3(3) is getting older, 7.x is quite a bit better (i.e. it adds support for MPF). Purchasing SmartNet would get you updated software AND support on this issue from Cisco's TAC. If you don't want to go with partner support this would at least give you something.

Erik
 

gmc8757

Member
Feb 9, 2005
170
0
0
ok, so i tried to establish a connection with the new shared key, same thing.

The set up is like this- cable modem, to a 3 com office connect with it's outside address and 172.16.1.1 as the inside address. This doesn't establish the tunnel.

If i connect a laptop to the 3com and try to connect with the vpn client, it doesn't work. If i configure my laptop to have the outside address and connect it right to the modem(take out the 3com all together), i can vpn in with the client. Shouldn't i be able to vpn in even though i'm behind the 3com?
 

gmc8757

Member
Feb 9, 2005
170
0
0
Do you think it's worth getting TW out here to check their box? Or would it be a waste of their time?
 

gmc8757

Member
Feb 9, 2005
170
0
0
Alrighty, I finally got it going. Problem was the TW Box. I took one of the TW box'es from another site where we don't use a VPN tunnel, and swapped it with this one. And it works just like that. thanks for your help guys.