Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
452
Views
0
Helpful
1
Replies

Possible bug in CSPM 30

s.vidanovic
Level 1
Level 1

‎04-02-2002 12:29 AM - edited ‎03-08-2019 10:12 PM

I would like to point and clarify one possible bug in Cisco Secure Policy Manager 3.0. Currently, I am evaluating this product for one customer that requires manageable remote access VPN connection with PIX firewall.

Here is scenario: Customer has PIX firewall version 6.1 and want to have visual managament of remote VPN IPSec tunnels. VPN client is Cisco VPN Unity Client version 3.5.1. In CSPM 3.0 I was able to create IPSec Tunnel templates, and in the Network topology I modeled Cloud network that corresponds to the address range already defined for VPN clients on PIX firewall and attach this cloud network directly to Internet. In the rule for IPSec traffic, I am using this modeled cloud network as a source, inside network as destination and all IP traffic as a service. When I tried to connect to PIX with VPN client, IKE Phase 1 is successful, devices are authenticated, user is authenticated, but in IKE Phase 2, in debug log of the PIX, I receive:

"proxy identities not supported",

which means that access-list for IPSec traffic does not match. But, in this case, it is not site-to-site VPN...

During troubleshooting, I have noticed that CSPM incorrectly generates the following command:

crypto dynamic-map CSM-crypto-map-outside-dyn 5 match address CSM-crypto-acl-outside-0

This command is OK when site-to-site IPSec tunnels are in place, but for remote access, this line is not needed. Workaround is to clear this line in epilogue section, but this is not the solution. Could you please confirm this behavior as a bug of CSPM 3.0?

Another thing: It seems that CSPM 3.0 is not fully compatible with VPN Unity client (I mean using vpngroup command in PIX). Because of that, I can not configure split tunneling when using VPN Unity client with PIPX firewall. Is that right?

Sasa Vidanovic

Labels:
0 Helpful
1 Reply 1

ciscomoderator
Community Manager
Community Manager

‎04-08-2002 09:23 AM

Often times complex troubleshooting issues are best addressed in an interactive session with one of our trained technical assistance engineers. While other forum users may be able to help, it’s often difficult to do so for this type of issue.

To utilize the resources at our Technical Assistance Center, please visit http://www.cisco.com/tac and to open a case with one of our TAC engineers, visit http://www.cisco.com/tac/caseopen

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

0 Helpful
Customers Also Viewed These Support Documents