[c-nsp] Issues with VPNs after moving from PIX to ASA ...

Garry gkg at gmx.de
Tue Oct 16 04:41:50 EDT 2007


we have just moved a customer from his old PIX 515 to a new 5510 CSC20 
... so far, everything looks good, except for the customer site VPNs. 
Though all I have been able to test works out fine, the customer is 
experiencing problems with the VPN connections at application level ... 
sites that have worked for ~5 years now have trouble transfering data 
via FTP. Any manual FTP I tried using the regular VPN client (tried a 
rather current 4.8 as well as the oldest I could find, which was a 4.0) 
seemed to work fine, though. FTP connections from other customer sites 
that are already in the MPLS network (and therefore don't use VPN 
anymore) work fine, too, so I tend to rule out a general problem at the 
server side.

As a quick-hack temporary solution I also tried to re-activate the old 
PIX (which is now only connected on the inside interface), but couldn't 
get any connections past the ISAKMP phase ... NAT-T is activated on the 
pix ... client is stuck at "negotiating security policies" ... need to 
look what I missed when I moved everything over to the inside interface ...

Any idea as to incompatibilities between PIX and ASA regarding VPN 

Tnx, -gg

More information about the cisco-nsp mailing list