Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
508
Views
0
Helpful
0
Comments

The LAN-to-LAN tunnels do not work after an upgrade to PIX Firewall version 7.0

TCC_2
Level 10
Level 10

on ‎06-22-2009 04:11 PM

Core issue

In PIX Firewall version 6.3, there is no option for tunnel groups. In PIX version 7.x, while the VPN tunnel is configured using the Adaptive Security Device Manager (ASDM), PIX automatically creates a tunnel group, just as in VPN concentrators.

The PIX automatically creates a tunnel group for all LAN-to-LAN tunnels during the code upgrade. However, the PIX sometimes fails to create tunnel groups for all tunnels. This can happen if there is a misconfiguration or there are incomplete crypto maps.

In PIX version 7.x, the tunnel does not come up if tunnel group information is missing in the configuration.

Resolution

This issue is documented in the Cisco bug ID CSCeh60361.

In order to resolve this issue, create a tunnel group for the specific tunnel.

Add these commands after the upgrade to the PIX 7.x:

tunnel-group group1 type ipsec-ra
tunnel-group group1 general-attributes
address-pool pool1
tunnel-group group1 ipsec-attributes
pre-shared-key mypassword

For more information, refer to PIX/ASA 7.x Simple PIX-to-PIX VPN Tunnel using ASDM Configuration Example.

For the Command Line Interface (CLI) mode, refer to Configuring LAN-to-LAN VPNs.

For additional resources, refer to Guide for PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents