PIX 501 Lan to Lan VPN with Cisco Concentrator

[vasquea1]

Well our Cisco guy just quit on friday and one of our clients replaced his PIX 501 and can not connect to our 3015 Cisco Concentrator for a LAN to LAN VPN. He says all the setting are the same. Do I need to do anything on my end. This client says his other tunnels came back up with other clients.

 

[Narizz28]

First and foremost, make sure the Preshare keys weren't changed and not saved on their FW.

 

[vasquea1]

nothing on our end has changed. They connected to us this morning with the old pix.

 

[Narizz28]

That's what I mean. If the preshare key changed and they didn't do a write mem since the change, the key on their end would be the one from the last time it was saved, assuming they built the new PIX from the old one's config.

 

[vasquea1]

aw

http://www i

get it. Let me try that. Thanks

 

[308win]

If it is a matter of a botched key or ACL then the your concentrator event log is pretty good place to look for a quick answer.
You might have to turn on the events that you need to appear
first though, under config/events/classes Send IPSEC and IKE stuff to the log. The menu structure has changed a little with different software versions, so their example might not be exact, but the idea is the same.

http://www.cisco.com/en/US/customer...guration_example09186a00800949d2.shtml#tshoot

Logging is under monitoring. If the keys mismatch it will outright tell you. Other problem might be mismatched access list, again it will tell you. You can watch the live monitor while you ping them and see what error you get.

You can view the key in plain text on the concentrator. On the pix end once it gets entered it is unviewable. My bet is with Narizz28 in that they botched their key

 

[vasquea1]

Thanks 308win, They fixed the problem on there end. I am with you guys with the botched Key. I am awaiting the solution from their end. Well keep ya posted.

MCSE lost in cisco lan