troubleshooting Question

PIX VPN Problem

Avatar of skyefusion
skyefusion asked on
13 Comments2 Solutions392 ViewsLast Modified:
I am trying to setup remote access VPN to our corporate PIX, which has 3 existing IPSEC tunnel to 3 branch locations. All the 3 tunnels are working perfectly fine, however I cant seem to get the remote access working. Attached is the sanitized PIX configuration:


PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname CORPHQ
domain-name corporate.local
clock timezone CTS -6
clock summer-time CTS recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
name Branch1
name Branch2
name Branch3
access-list nonat permit ip
access-list nonat permit ip
access-list nonat permit ip
access-list nonat permit ip
access-list out permit icmp any any
access-list crypto2 permit ip
access-list crypto3 permit ip
access-list crypto4 permit ip
access-list SplitVPN permit ip
pager lines 24
logging timestamp
logging console debugging
logging buffered debugging
logging trap informational
logging device-id ipaddress inside
logging host inside
mtu outside 1500
mtu inside 1500
ip address outside CORPHQ
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPOOL
arp timeout 14400
global (outside) 1
nat (inside) 0 access-list nonat
nat (inside) 1 0 0
access-group out in interface outside
route outside 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server source inside
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set corpset esp-3des esp-sha-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 65535 set transform-set myset
crypto map uni 11 ipsec-isakmp
crypto map uni 11 match address crypto2
crypto map uni 11 set peer Branch2
crypto map uni 11 set transform-set corpset
crypto map uni 13 ipsec-isakmp
crypto map uni 13 match address crypto3
crypto map uni 13 set peer Branch3
crypto map uni 13 set transform-set corpset
crypto map uni 14 ipsec-isakmp
crypto map uni 14 match address crypto4
crypto map uni 14 set peer Branch1
crypto map uni 14 set transform-set corpset
crypto map uni 65535 ipsec-isakmp dynamic dynmap
crypto map uni client authentication LOCAL
crypto map uni interface outside
isakmp enable outside
isakmp key ******** address Branch1 netmask
isakmp key ******** address Branch3 netmask
isakmp key ******** address Branch2 netmask
isakmp identity address
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption des
isakmp policy 11 hash sha
isakmp policy 11 group 2
isakmp policy 11 lifetime 86400
isakmp policy 99 authentication pre-share
isakmp policy 99 encryption des
isakmp policy 99 hash md5
isakmp policy 99 group 1
isakmp policy 99 lifetime 86400
vpngroup CorporateVPN address-pool VPNPOOL
vpngroup CorporateVPN dns-server
vpngroup CorporateVPN default-domain corporate.local
vpngroup CorporateVPN split-tunnel SplitVPN
vpngroup CorporateVPN idle-time 1800
vpngroup CorporateVPN password ********
telnet inside
telnet timeout 60
ssh outside
ssh timeout 30
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username tech1 password ***** encrypted privilege 15
terminal width 80
: end


When I am trying to connect using Cisco VPN Client 4.8x, the logging says Inbound connections are not allowed. The error messages from the VPN Client are as follow:

28     19:47:57.433  04/10/08  Sev=Warning/2      IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)

29     19:47:57.433  04/10/08  Sev=Warning/3      IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)

30     19:48:02.527  04/10/08  Sev=Warning/2      IKE/0xA3000062
Attempted incoming connection from Inbound connections are not allowed.

On the PIX itself, the IPSec debugging says that its trying to use IKE Policy Priority 11 to establish the SAs? Any ideas on where I might have gone wrong? I have similar configuration for the remote branches and they all seem to be working fine. Each branch only has 1 active VPN tunnel to the corporate office. Any help is greatly appreciated. Thanks.


Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 2 Answers and 13 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 13 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros