Link to home
Create AccountLog in
Avatar of ronayers
ronayers

asked on

Getting this error after upgrading PIX 525 from 7.01 to 7.23

Any help would be MUCH apprecitated. After I upgraded the PIX from v7.0(1) to 7.2(3), my Cisco Remote Access VPN Client connection no longer works.

I get this error from the client log while trying to connect:
Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

However, I believe this is to be the relevant error, it comes from my PIX 525 Log:

Group = myvpn, IP = xx.xxx.xxx.xx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.150.1/255.255.255.255/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
PIX Version 7.2(3) 
!
same-security-traffic permit intra-interface
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.150.0 255.255.255.0 
access-list dmz1nonat extended permit ip 172.16.20.0 255.255.255.0 192.168.150.0 255.255.255.0 
access-list outside_cryptomap_dyn_10 extended permit ip 192.168.1.0 255.255.255.0 192.168.150.0 255.255.255.0 
access-list outside_cryptomap_dyn_10 extended permit ip 172.16.20.0 255.255.255.0 192.168.150.0 255.255.255.0 
access-list outside_cryptomap_dyn_10 extended permit ip 10.10.20.0 255.255.255.0 192.168.150.0 255.255.255.0 
access-list dmz2nonat extended permit ip 10.10.20.0 255.255.255.0 192.168.150.0 255.255.255.0 
access-list splittunnel standard permit 192.168.1.0 255.255.255.0 
access-list splittunnel standard permit 10.10.20.0 255.255.255.0 
access-list splittunnel standard permit 172.16.20.0 255.255.255.0 
ip local pool vpnpool 192.168.150.1-192.168.150.51
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (intf2) 0 access-list dmz1nonat
nat (intf2) 1 0.0.0.0 0.0.0.0
nat (intf3) 0 access-list dmz2nonat
nat (intf3) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 2XX.XXX.XXX.XXX 1
crypto ipsec transform-set kawasaki esp-des esp-md5-hmac 
crypto dynamic-map dynmap 10 match address outside_cryptomap_dyn_10
crypto dynamic-map dynmap 10 set transform-set kawasaki
crypto map harley 65535 ipsec-isakmp dynamic dynmap
crypto map harley interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec 
 password-storage enable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splittunnel
 default-domain value xxxxxx.local
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout none
 ip-phone-bypass enable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 5
tunnel-group DefaultRAGroup general-attributes
 address-pool vpnpool
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 5
 isakmp ikev1-user-authentication none
tunnel-group myvpn type ipsec-ra
tunnel-group myvpn general-attributes
 address-pool vpnpool
 authorization-server-group LOCAL
tunnel-group myvpn ipsec-attributes
 pre-shared-key *
 isakmp ikev1-user-authentication none

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of batry_boy
batry_boy
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of ronayers
ronayers

ASKER

Awesome, I'll try this first thing Monday morning. I've left the building and have no remote access :)
Awesome, worked like a champ!
Worked like a champ, Thanks!
Great!  Glad to assist.