Re: pix vpnclient client mode not working

whanson · ‎10-15-2002

I can't seem to get this to work with a VPN 3000 as the server. It does work with client mode network-ext. I see pings go all the way through to the destination and replies coming back to the VPN 3000 but nothing back to my PC. Also, even if I were to get this to work, will this work if I put an IP phone and use client mode????

nick.garigliano · ‎10-15-2002

I just got this to work with the help of TAC. There are two bugs on CCO concerning this type of connection.

Just to let you know, to truely bring the tunnel up you have to initiate traffic from behind the PIX. The connection will appear to come up on its own but you cannot contact devices behind the pix until they first try to send traffic to the concentrator.

whanson · ‎10-15-2002

what did you have to do to fix it. I know the packets are coming back to the PIX because I set a debug packet outside and then did a continous ping.

Nelson Rodrigues · ‎10-15-2002

IP phones usage require network -extension mode.

Nelson

Nelson Rodrigues · ‎10-16-2002

Bill, are you saying the PIX in client mode cannot establish the tunnel or can establish the tunnel but not pass data ?

Anyway, you need to turn on the following logging for us to see what's going on:

1) On the VPN 3000 enable AUTH, IKE, IKEDBG level 9 events.

2) On the PIX turn on debug (debug crypto ipsec, debug crypto isakmp)

3) clear the logs; inititate the tunnel (ping), and please post 1 and 2 results here.

Thanks.

Nelson