[c-nsp] Upgrade pix from 6.3(5) to 7.2(1) , L2L vpn with ca doesn't work

Jason Lixfeld jason at lixfeld.ca
Fri Mar 9 09:44:34 EST 2007


Not sure if it applies here, but check the licensed features after the upgrade.  I've been bitten my 3des stuff after upgrading pixes due to license keys not being adapted properly.

  

-----Original Message-----
From: "Zacchello Marco" <Marco.Zacchello at netengineering.it>
Date: Fri, 9 Mar 2007 14:42:23 
To:<cisco-nsp at puck.nether.net>
Subject: [c-nsp] Upgrade pix from 6.3(5) to 7.2(1) ,
	L2L vpn with ca doesn't work

Hi all

We have upgraded our pix515E from 6.3(5) to 7.2(1).
We have a L2L vpn using certificates, who works well with old ver, but
with the new ver dowsn't work.
The vpn is from our pix515E to a cisco 7206VXR (NPE300) Version
12.2(10).
The 'automatic' config translation between 6.3 and 7.2 doesn't work
well, so I reconfigured it manually.
I get the certificate from the CA, the vpn start, but after some time
stop and restart causing problem to the remote users.

This is the logs about the issue:

%PIX-3-713902: Group = A.B.C.D, IP = A.B.C.D, QM FSM error (P2 struct
&0x2ee3c20, mess id 0x2f953877)!
%PIX-3-713902: Group = A.B.C.D, IP = A.B.C.D, Removing peer from
correlator table failed, no match!
%PIX-3-713134: Group = A.B.C.D, IP = A.B.C.D, Mismatch: P1
Authentication algorithm in the crypto map entry different from
negotiated algorithm for the L2L connection


We have checked the configuration and certificates with the CA
administrator and with the administrator of the c7200, and everything
looks ok.
I have only a doubt about the some differences on the certificates
before and after the upgrade:

unstructuredName=Pix3.test.it/CN=Pix3.test.it  (pix635.bin)
unstructuredName=Pix3.test.it  (pix721.bin)

Can you help me?
Any ideas or bug?

Regards

Marco




_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list