Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
445
Views
0
Helpful
5
Replies

PIX upgrade to version 7.x nightmare

netmgt
Level 1
Level 1

‎06-10-2006 01:04 PM - edited ‎02-21-2020 12:57 AM

Recently we upgraded all our PIX 515E to version 7.1(2) and the nightmare begin. In one network the CitrixMetaFrame Web client stop working. We upgraded to version 7.2(1) and MetaFrame start working again but then the Remote Access vpn does not work anymore. Another problem we found, the asdm have a bug in the Global network objects group. Not all of the IP Names are shown in list. In another network the HTTP fixup start blocking to a Web portal we have in the DMZ. In that same network we have a Site-to Site VPN and with version 7.1(2) we couldn?t manage the Remote PIX with SSH or ASDM because there is a bug. WE had to upgrade the Remote PIX to version 7.2(1) to be able to manage the PIX remotely. Other problem we found, for some reason all the PIX start failing over from active to passive without reason. We had to remove all the failover configuration and reconfigure the failover again to make work more stable. Still we get failover sometimes without reason. Right now we are considering go back to version 6.3(5) until a GD version is release.

0 Helpful
5 Replies 5

dentt
Level 1
Level 1

‎06-12-2006 05:37 AM

I would advise a downgrade to 7.0(5). I am using this version right now on both PIX and ASA hardware with good success. I have Citrix working through the FW using this code, and no failover issues.

Let me know how this goes if you downgrade.

TD

0 Helpful

netmgt
Level 1
Level 1
In response to dentt

‎06-12-2006 08:09 AM

I installed version 7.0(5). Now Citrix and the remote acces vpn don't work. The clients are behind the PIX and the server it's Outside.

0 Helpful

dentt
Level 1
Level 1
In response to netmgt

‎06-12-2006 08:11 AM

Could you send me your config?

0 Helpful

netmgt
Level 1
Level 1
In response to dentt

‎06-12-2006 01:08 PM

That's the VPN config

group-policy DfltGrpPolicy attributes

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec

password-storage disable

ip-comp enable

re-xauth disable

group-lock none

pfs enable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelall

split-tunnel-network-list none

default-domain none

split-dns none

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

ip-phone-bypass disable

leap-bypass disable

nem disable

backup-servers keep-client-config

client-firewall none

client-access-rule none

group-policy remote-access internal

group-policy remote-access attributes

wins-server value 10.x.x.1 10.x.x.2

dns-server value 10.x.x.1 10.x.x.2

default-domain value socsouth.mil

group-policy riggervpn internal

group-policy riggervpn attributes

wins-server value 10.x.x.1 10.x.x.2

dns-server value 10.x.x.1 10.x.x.2

default-domain value socsouth.mil

group-policy mpvpn internal

group-policy mpvpn attributes

wins-server value 10.x.x.1 10.x.x.2

dns-server value 10.x.x.1 10.x.x.2

default-domain value socsouth.mil

sysopt noproxyarp inside

sysopt noproxyarp DMZ

auth-prompt prompt *******************US DEPARTMENT OF DEFENSE WARNING STATEMENT*******************

auth-prompt accept Use of this system constitutes consent to monitoring for these purposes

auth-prompt reject You are not authorize tu use this system

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-AES-256-SHA

crypto dynamic-map outside_dyn_map 60 set pfs

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-AES-256-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp identity address

isakmp enable outside

tunnel-group DefaultRAGroup general-attributes

authentication-server-group (outside) socradius

tunnel-group remote-access type ipsec-ra

tunnel-group remote-access general-attributes

address-pool ais-pool

authentication-server-group socradius

default-group-policy remote-access

tunnel-group remote-access ipsec-attributes

pre-shared-key *

tunnel-group riggervpn type ipsec-ra

tunnel-group riggervpn general-attributes

address-pool rigger-pool

authentication-server-group socradius

default-group-policy riggervpn

tunnel-group riggervpn ipsec-attributes

pre-shared-key *

tunnel-group mpvpn type ipsec-ra

tunnel-group mpvpn general-attributes

address-pool mp-pool

authentication-server-group socradius

default-group-policy mpvpn

tunnel-group mpvpn ipsec-attributes

pre-shared-key *

0 Helpful

netmgt
Level 1
Level 1
In response to netmgt

‎06-13-2006 01:38 PM

Make everything to work with version 7.1(1)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card