Many tanks for your reply.

I have sorted most of the issues:

1. I was pointing to the wrong radius server.

2. pre-shared key for Cisco Client was wrong.

3. there is ..."set pfs" command in one site so I have added this to my config- it works!

I didn't touch the dynamic dynmap as you advised but it works so far.

I can't understand why my typo didn't affect the vpn link ["crypto map outsite_map 80"]?

Now I have one problem left with vpn link between asa5505 and pix501- can't establish the link.

This is only site I have no server (DC) and just tablet PCs. Do you think that after swaping my 506 with asa 5505 on that site there is no traffic on 501 site to renegotiate and establish tunnel with my new 5505?

Could you pls advise any debug commands I can use in this case.

Many thanks for your help!!!!

I will first do what was suggested in the first reply. But i will increase the sequence to 100.

crypto map outside_map 100 ipsec-isakmp dynamic dynmap"

In regards to debug, you can use: debug crypto isakmp 127

Also what is the ACL that allows the network inside the 5505 to access the network behind the pix?

Could you explain why does ["crypto map outside_map 100 ipsec-isakmp dynamic dynmap"] makes the diffrence. What is the impact?

regarding access list:

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0

Thanks!

When using clients vpn in conjuction with L2L, you want your clients VPN crypto map to have the highest sequence number.

Could you please post the output of the debug?

It looks like my config was ok except many silly mistakes I've made.

Every vpn link is up + cisco client is ok :-)))

But it took 2 hours to reestablish vpn link between 5505 and PiX501 in one of my locations.

Any idea why? [debug was made during problems with establishing that vpn link]. Can anyone explain that debug output.

THANKS!

pb# debug crypto isakmp 127

pb# Jan 16 11:15:20 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jan 16 11:15:20 [IKEv1]: IP = 217.xx.xx.xx, Queuing KEY-ACQUIRE messages to be processed when P1 SA is

complete.

Jan 16 11:15:22 [IKEv1]: IP = 217.xx.xx.xx, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR

+ SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 184

Jan 16 11:15:25 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jan 16 11:15:25 [IKEv1]: IP = 217.xx.xx.xx, Queuing KEY-ACQUIRE messages to be processed when P1 SA is

complete.

Jan 16 11:15:30 [IKEv1]: IP = 217.xx.xx.xx, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR

+ SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 184

Jan 16 11:15:31 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jan 16 11:15:31 [IKEv1]: IP = 217.xx.xx.xx, Queuing KEY-ACQUIRE messages to be processed when P1 SA is

complete.

Jan 16 11:15:36 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jan 16 11:15:36 [IKEv1]: IP = 217.xx.xx.xx, Queuing KEY-ACQUIRE messages to be processed when P1 SA is

complete.

Jan 16 11:15:38 [IKEv1]: IP = 217.xx.xx.xx, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR

+ SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 184

Jan 16 11:15:42 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jan 16 11:15:42 [IKEv1]: IP = 217.xx.xx.xx, Queuing KEY-ACQUIRE messages to be processed when P1 SA is

complete.

Jan 16 11:15:46 [IKEv1 DEBUG]: IP = 217.xx.xx.xx, IKE MM Initiator FSM error history (struct &0xd5a9a1

28) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT

_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->M

M_WAIT_MSG2, EV_RETRY

Jan 16 11:15:46 [IKEv1 DEBUG]: IP = 217.xx.xx.xx, IKE SA MM:3a113728 terminating: flags 0x01000022, r

efcnt 0, tuncnt 0

Jan 16 11:15:46 [IKEv1 DEBUG]: IP = 217.xx.xx.xx, sending delete/delete with reason message

Jan 16 11:15:46 [IKEv1]: IP = 217.xx.xx.xx, Removing peer from peer table failed, no match!

Jan 16 11:15:46 [IKEv1]: IP = 217.xx.xx.xx, Error: Unable to remove PeerTblEntry

Jan 16 11:15:47 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jan 16 11:15:47 [IKEv1]: IP = 217.xx.xx.xx, IKE Initiator: New Phase 1, Intf inside, IKE Peer 217.xx.x

xx.xx local Proxy Address 192.168.1.0, remote Proxy Address 192.168.9.0, Crypto map (outside_map)

Jan 16 11:15:47 [IKEv1 DEBUG]: IP = 217.xx.xx.xx, constructing ISAKMP SA payload

Jan 16 11:15:47 [IKEv1 DEBUG]: IP = 217.xx.xx.xx, constructing NAT-Traversal VID ver 02 payload

Jan 16 11:15:47 [IKEv1 DEBUG]: IP = 217.xx.xx.xx, constructing NAT-Traversal VID ver 03 payload

Jan 16 11:15:47 [IKEv1 DEBUG]: IP = 217.xx.xx.xx, constructing Fragmentation VID + extended capabiliti

es payload

You might have a mismatch pre-shared key since phase is not completing.

It states Main Mode Waiting message 2, IKE consists on 6 messages when using Main Mode, waiting message 2 means that the remote peer is failing to send and validate your isakmp policies, maybe the remote end still has your tunnel as active?