Showing results for 
Search instead for 
Did you mean: 

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.


Problems with ipsec on pix 501

I have been running a 501 for a few years with several site to site vpns with no problems. At first there was 1 vpn and it has slowly grown to 4. They are all the same 501's with the latest software.

The first few years were problem free but as more sits have been added the problems are getting worse.

When i added the third site, i restored factory defaults to remove the remernace of old configerations. form that point onward i have had problems. The second site would not maintain a tunnel after 2 minutes. I have checked the configs, replaced the modem, replaced all cables, replaced the pix and still cannot solve the problem. At the moment i cannot get any of the vpns to connect.

Using the monitor facility within the pdm, the ipsec tunnel does not connect and the ike tunnel connects for about 40 secs then drops, it keeps repeating the same cycle. I am using a pre shared key on the IKE, the pre shared key is definatly correct as i have copied and pasted it into both 501's with the same computer.

During the  time of the first errors i was getting an error code of 402101 using the debug level log.

I have employed a local cisco engineer to help me with the problem, he adivsed that the configeration be changed as i was putting the pix behind a netgear router and forwarding the correct ports, this config worked several years, i have now changed all sites so the pix is configuered to be directly to the internet. The engineer was happy all the configerations were correct and he could not solve the problem, after spending six hours on our sites, he only charged me for 1 hour and was never to be seen again. The problem is getting worse.

I am able to connect the remote sites using a vpn client, all other functions of the firewall seem good. I have been throught the wizards many times on all units and am certain the configerations are correct.

What am i doing wrong??, they used to work but know they don't.

I have attached the two configerations but removed all the inportant info of ip's, usernames and passwords. again, the ip's were correct.

Have i missed out a step after resoting factory defaults?

I would greatly appreciate any help anybody has to offer.



Thank you for your question.  This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product.  Please post your question in the Cisco NetPro forums located here: This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.

However, just looking at your configuration, I did see that your hashing algorithm on the YMCA side is using SHA and group 1 for isakmp policy 20 while on the Server side you are using 3des and group2 for policy 20.

Good Luck,


Hi Bill,

Thanks a lot, i have got the link working now, but i have not tried the original site problem i had. If there is still an issue with the second site i will post on the classic forum.