Core issue
This issue is due to the presence of Cisco bug ID CSCsb48916.
When there is an attempt to configure IPSec LAN-to-LAN tunnels with manual keys and specify the Advanced Encryption Standard (AES) with a 256-bit encryption (esp-aes-256) in the transform set, the encapsulation fails.
Resolution
To resolve this issue, perform one of these steps:
- Change the IPSec keying method from IPSec to Internet Security Association and Key Management Protocol (ISAKMP).
- Change the transform set to use an encryption type other than esp-aes-256 (such as esp-aes), or use ISAKMP for tunnel negotiation.
- Upgrade to PIX Firewall version 6.3(5.103) or the latest available version.
For more information, refer to the crypto ipsec transform-set command.