1. Home
  2. Cisco Systems
  3. VPN client can't connect after I remove then re-insert dynamic-map

VPN client can't connect after I remove then re-insert dynamic-map

Hi folks,

I was testing out some VPN client stuff and I removed the command...

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA once this was removed the line... crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map was also removed automatically

I then tried to connect up my client, it failed.

So I re-inserted the 2 lines above expecting it all to be fine but when the client now try's to connect I get the following error...

Dec 22 17:08:59 [IKEv1]: Group = groupname, IP = 1.1.1.1, Removing peer from peer table failed, no match! Dec 22 17:08:59 [IKEv1]: Group = groupname, IP = 1.1.1.1, Error: Unable to remove PeerTblEntry

A peer is set but it's for a site-to-site VPN.

it seems as if the PIX knows that it doesn't match the peer but then instead of using the dynamic-map it just fails.

Do I need to reset something? I've tried reloading the pix to no avail.

cheers Dave

Reply to
Dave
Loading thread data ...

sorry should've said..

it's a PIX 515 with Version 7 software, the VPN client is version 4.7.

Reply to
Dave

ok incase it's needed here's my config...

External IP is 1.1.1.1 Gateway for pix is 1.1.1.2

2 Internal networks, 192.168.10.0 and 192.168.0.0 Endpoint for site-to-site VPN is 2.2.2.2

PIX Version 7.0(4) ! names name 10.1.0.0 GPRSNode1Network name 10.2.0.0 GPRSNode2Network name 192.168.10.0 DMZ name 192.168.0.0 Private name 2.2.2.2 VODAUK_VPNEndPoint ! interface Ethernet0 nameif outside security-level 0 ip address 1.1.1.1 255.255.255.248 ! interface Ethernet1 nameif inside security-level 100 ip address 192.168.10.101 255.255.255.0 ! boot system flash:/image.bin ftp mode passive access-list inside_outbound_nat0_acl extended permit ip Private

255.255.255.0 GPRSNode1Network 255.255.0.0 access-list inside_outbound_nat0_acl extended permit ip Private 255.255.255.0 GPRSNode2Network 255.255.0.0 access-list inside_outbound_nat0_acl extended permit ip DMZ 255.255.255.0 GPRSNode1Network 255.255.0.0 access-list inside_outbound_nat0_acl extended permit ip DMZ 255.255.255.0 GPRSNode2Network 255.255.0.0 access-list inside_outbound_nat0_acl extended permit ip DMZ 255.255.255.0 10.10.0.0 255.255.255.248 access-list outside_cryptomap_20 extended permit ip Private 255.255.255.0 GPRSNode1Network 255.255.0.0 access-list outside_cryptomap_20 extended permit ip Private 255.255.255.0 GPRSNode2Network 255.255.0.0 access-list outside_cryptomap_20 extended permit ip DMZ 255.255.255.0 GPRSNode1Network 255.255.0.0 access-list outside_cryptomap_20 extended permit ip DMZ 255.255.255.0 GPRSNode2Network 255.255.0.0 access-list outside_access_in extended permit icmp any any access-list outside_access_in extended permit ip GPRSNode1Network 255.255.0.0 Private 255.255.255.0 access-list outside_access_in extended permit ip GPRSNode2Network 255.255.0.0 Private 255.255.255.0 access-list outside_access_in extended permit ip GPRSNode1Network 255.255.0.0 DMZ 255.255.255.0 access-list outside_access_in extended permit ip GPRSNode2Network 255.255.0.0 DMZ 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 ip local pool manningspool 10.10.0.1 mask 255.255.255.248 ERROR: Command requires failover license ERROR: Command requires failover license asdm image flash:/pdm asdm history enable arp timeout 14400 nat-control global (outside) 10 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 10 0.0.0.0 0.0.0.0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 1.1.1.2 1 route inside Private 255.255.255.0 192.168.10.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius group-policy ManningsGP internal http server enable http Private 255.255.255.0 inside http DMZ 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer VODAUK_VPNEndPoint crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp identity address isakmp enable outside isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 1 isakmp policy 20 lifetime 86400 tunnel-group DefaultRAGroup general-attributes authentication-server-group (outside) none tunnel-group 2.2.2.2 type ipsec-l2l tunnel-group 2.2.2.2 ipsec-attributes pre-shared-key * tunnel-group ManningsRAG type ipsec-ra tunnel-group ManningsRAG general-attributes address-pool manningspool authentication-server-group none default-group-policy ManningsGP tunnel-group ManningsRAG ipsec-attributes pre-shared-key * no vpn-addr-assign aaa no vpn-addr-assign dhcp telnet timeout 5 ssh timeout 5 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect http inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global Cryptochecksum:306674cce20b253b43238339d1905e4b : end
Reply to
Dave

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.