Re: Problem with VPN pix 501 <-> pix 515

harald.pedersen · ‎02-10-2006

We have a vpn tunnel between a pix 501 ver 6.3 and a pix 515 ver 6.3 that works well.

I am now trying to move the tunnel from the pix 515 to an other pix 515 ver 7.0, but with no luck.

I get the following msgs in the log :

713993: ip=x.x.x.x, header invalid, missing SA payload! (next payload = 4)

713993: Group = x.x.x.x, IP = x.x.x.x, Can't find a valid tunnel group, aborting

713902: Group = x.x.x.x, IP = x.x.x.x, Removing peer from peer table failed, no match!

713903: Group = x.x.x.x, IP = x.x.x.x, Error: Unable to remove PeerTblEntry

Any idea on what I did wrong?

Harald

scheikhnajib · ‎02-10-2006

Hi Harald,

On PIX OS 7.0 Cisco has introduced the Tunnel-Group concept, you won't use an "isakmp" command to configure your peer and pre-shared key, but you will use the following command:

(config)#tunnel-group x.x.x.x type ipsec-l2l (x.x.x.x is ur peer address and l2l refers to LAN-to-LAN)

(config)#tunnel-group x.x.x.x ipsec-attributes

(config-ipsec)#pre-shared-key xxxxxxxx

The rest of the commands (i.e. ISAKMP, Crypto map, Crypto Transform Sets and Crypto ACLs remain the same).

Hope this helps.

Salem.