Core issue
In PIX Firewall version 6.3, there is no option for tunnel groups. In PIX version 7.x, while the VPN tunnel is configured using the Adaptive Security Device Manager (ASDM), PIX automatically creates a tunnel group, just as in VPN concentrators.
The PIX automatically creates a tunnel group for all LAN-to-LAN tunnels during the code upgrade. However, the PIX sometimes fails to create tunnel groups for all tunnels. This can happen if there is a misconfiguration or there are incomplete crypto maps.
In PIX version 7.x, the tunnel does not come up if tunnel group information is missing in the configuration.
Resolution
This issue is documented in the Cisco bug ID CSCeh60361.
In order to resolve this issue, create a tunnel group for the specific tunnel.
Add these commands after the upgrade to the PIX 7.x:
tunnel-group group1 type ipsec-ra
tunnel-group group1 general-attributes
address-pool pool1
tunnel-group group1 ipsec-attributes
pre-shared-key mypassword
For more information, refer to PIX/ASA 7.x Simple PIX-to-PIX VPN Tunnel using ASDM Configuration Example.
For the Command Line Interface (CLI) mode, refer to Configuring LAN-to-LAN VPNs.
For additional resources, refer to Guide for PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0.