I have a cisco pix 515 that accepts about 10 vpn tunnels. on the other end are 3com office connect vpn routers. 9 out of the 10 don't have a problem and stay connected. the 10th one will not connect at all. I've tried different office connects so i know that's not the problem. Which tells me the problem is at the PIX. I just don't really know what to look for. I've found where a working VPN site IP exists in the pix config and then looked for the vpn site i can't get up and they look the same except their parts of different crypto map numbers. Does anyone have any idea where i can look at next?
Cisco PIX/VPN problem
- Thread starter gmc8757
- Start date
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
sieistganzfett
Senior member
- Mar 2, 2005
- 588
- 0
- 0
uh, is i assume 10 vpn is fine for that model, i can only think of the cisco IOS, is it the latest from cisco? another thing i could think of is just redoing the config for the one that isnt working, did you config it or did someone else? also, if your need an answer quick, im sure the cisco tech support will help well. good luck.
spyordie007
Diamond Member
- May 28, 2001
- 6,229
- 0
- 0
You might want to try pulling up the PDM (web-based GUI for the PIX) and running through the VPN wizard, if you're using shared keys you'll have to do the same on the other side.
The other option would be to hire a consultant to help out, there are lots of firms that specialize in Cisco-based solutions that should be able to help out with the PIX config.
Erik
The other option would be to hire a consultant to help out, there are lots of firms that specialize in Cisco-based solutions that should be able to help out with the PIX config.
Erik
spyordie007
Diamond Member
- May 28, 2001
- 6,229
- 0
- 0
Generally, yes. But when you're connecting with another vendor's hardware on the other end and you don't know how to troubleshoot problems that crop up...It sucks because there really isn't much to configuring a new vpn site right? a few commands and your good to go pretty much?
I'm pretty sure you don't, PIXes don't run IOS they run PIX OS.pretty sure we do have the latest IOS
Even if you were running the latest it doesn't always mean newest (or most stable). A quick check on Cisco.com shows that the newest (7.0.6.ED) was released 22-AUG-2006, however the latest (7.2.1.ED) was released 31-MAY-2006. So what version are you running?
You're right, we're using version 6.3(3)
The other vpn tunnels are using the same 3com office connects. I just tried one out of a working vpn site and it didn't work at this site.
Could it be something with the cable modem? It's a uBR900, do you think they could be blocking something, Time Warner has control of this box.
I can however, establish a vpn client connection with my laptop if i plug right into it, and connect to the same PIX. I just can't get the office connect to establish the tunnel, it doesn't get past "Negotiating Phase One".
Thanks a lot.
The other vpn tunnels are using the same 3com office connects. I just tried one out of a working vpn site and it didn't work at this site.
Could it be something with the cable modem? It's a uBR900, do you think they could be blocking something, Time Warner has control of this box.
I can however, establish a vpn client connection with my laptop if i plug right into it, and connect to the same PIX. I just can't get the office connect to establish the tunnel, it doesn't get past "Negotiating Phase One".
Thanks a lot.
spyordie007
Diamond Member
- May 28, 2001
- 6,229
- 0
- 0
What happens if you try with your laptop from behind that cable connection? I wouldnt think that a cable modem would be enough to break the tunnel, but than again I have no way of knowing what they are doing on it...
Are you using shared keys? A key mismatch would cause a failure on phase one, might be worth rebuilding the site-to-site tunnel (as I mentioned earlier).
BTW 6.3(3) is getting older, 7.x is quite a bit better (i.e. it adds support for MPF). Purchasing SmartNet would get you updated software AND support on this issue from Cisco's TAC. If you don't want to go with partner support this would at least give you something.
Erik
Are you using shared keys? A key mismatch would cause a failure on phase one, might be worth rebuilding the site-to-site tunnel (as I mentioned earlier).
BTW 6.3(3) is getting older, 7.x is quite a bit better (i.e. it adds support for MPF). Purchasing SmartNet would get you updated software AND support on this issue from Cisco's TAC. If you don't want to go with partner support this would at least give you something.
Erik
http://www.cisco.com/en/US/tech/tk583/t...logies_tech_note09186a00800949c5.shtml
You'll need to go through basic VPN troubleshooting to see what is going on. It's impossible to assist by guessing.
But if I had to guess I'd try to rule out NAT being involved somewhere between the endpoints.
You'll need to go through basic VPN troubleshooting to see what is going on. It's impossible to assist by guessing.
But if I had to guess I'd try to rule out NAT being involved somewhere between the endpoints.
ok, so i tried to establish a connection with the new shared key, same thing.
The set up is like this- cable modem, to a 3 com office connect with it's outside address and 172.16.1.1 as the inside address. This doesn't establish the tunnel.
If i connect a laptop to the 3com and try to connect with the vpn client, it doesn't work. If i configure my laptop to have the outside address and connect it right to the modem(take out the 3com all together), i can vpn in with the client. Shouldn't i be able to vpn in even though i'm behind the 3com?
The set up is like this- cable modem, to a 3 com office connect with it's outside address and 172.16.1.1 as the inside address. This doesn't establish the tunnel.
If i connect a laptop to the 3com and try to connect with the vpn client, it doesn't work. If i configure my laptop to have the outside address and connect it right to the modem(take out the 3com all together), i can vpn in with the client. Shouldn't i be able to vpn in even though i'm behind the 3com?
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 24K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
AnandTech is part of Future plc, an international media group and leading digital publisher. Visit our corporate site.
© Future Publishing Limited Quay House, The Ambury, Bath BA1 1UA. All rights reserved. England and Wales company registration number 2008885.
Facebook
Twitter