[c-nsp] R: Upgrade pix from 6.3(5) to 7.2(1) , L2L vpn with ca doesn't work
Voll, Scott
Scott.Voll at wesd.org
Fri Mar 9 10:50:00 EST 2007
Did you upgrade to 7.0 before upgrading to 7.2?
I remember when we first tried going from 6.3 to 7.1. everything got messed up. We had to down grade back to 6.3. I didn't read the note that you have to upgrade to 7.0 before upgrading to any other version of 7.x.
Scott
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Zacchello Marco
Sent: Friday, March 09, 2007 7:02 AM
To: jason at lixfeld.ca; cisco-nsp at puck.nether.net
Subject: [c-nsp] R: Upgrade pix from 6.3(5) to 7.2(1) ,L2L vpn with ca doesn't work
Hi
I've checked it but it's ok:
Licensed features for this platform:
Maximum Physical Interfaces : 6
Maximum VLANs : 25
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited
This platform has an Unrestricted (UR) license.
Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
And the license key was unchanged
thanks
-----Messaggio originale-----
Da: Jason Lixfeld [mailto:jason at lixfeld.ca]
Inviato: venerdì 9 marzo 2007 15.45
A: Zacchello Marco; cisco-nsp at puck.nether.net
Oggetto: Re: [c-nsp] Upgrade pix from 6.3(5) to 7.2(1) ,L2L vpn with ca doesn't work
Not sure if it applies here, but check the licensed features after the upgrade. I've been bitten my 3des stuff after upgrading pixes due to license keys not being adapted properly.
-----Original Message-----
From: "Zacchello Marco" <Marco.Zacchello at netengineering.it>
Date: Fri, 9 Mar 2007 14:42:23
To:<cisco-nsp at puck.nether.net>
Subject: [c-nsp] Upgrade pix from 6.3(5) to 7.2(1) ,
L2L vpn with ca doesn't work
Hi all
We have upgraded our pix515E from 6.3(5) to 7.2(1).
We have a L2L vpn using certificates, who works well with old ver, but with the new ver dowsn't work.
The vpn is from our pix515E to a cisco 7206VXR (NPE300) Version 12.2(10).
The 'automatic' config translation between 6.3 and 7.2 doesn't work well, so I reconfigured it manually.
I get the certificate from the CA, the vpn start, but after some time stop and restart causing problem to the remote users.
This is the logs about the issue:
%PIX-3-713902: Group = A.B.C.D, IP = A.B.C.D, QM FSM error (P2 struct &0x2ee3c20, mess id 0x2f953877)!
%PIX-3-713902: Group = A.B.C.D, IP = A.B.C.D, Removing peer from correlator table failed, no match!
%PIX-3-713134: Group = A.B.C.D, IP = A.B.C.D, Mismatch: P1 Authentication algorithm in the crypto map entry different from negotiated algorithm for the L2L connection
We have checked the configuration and certificates with the CA administrator and with the administrator of the c7200, and everything looks ok.
I have only a doubt about the some differences on the certificates before and after the upgrade:
unstructuredName=Pix3.test.it/CN=Pix3.test.it (pix635.bin) unstructuredName=Pix3.test.it (pix721.bin)
Can you help me?
Any ideas or bug?
Regards
Marco
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list