Hello I have several crypto map with the same name but they have 1 2 3 ...
I removed one of my crypto maps on one router and the pix to try to create a hub and spoke config. But I havent had any luck removing the crypto map from the pix with out reloading the pix with
clear crypto sa peer xxx.xxx.xxx.xxx
can anyone recommend me a way to clear this from the pix, when i do show crypto isakmp sa, get the old tunnel as idle. I have ios 6.3.
Thanks.
In article , wrote: :Hello I have several crypto map with the same name but they have 1 2 3
I take you refer to policy elements within the crypto map. Cisco would say that all of those were the same crypto map.
: I removed one of my crypto maps on one router and the pix to try to :create a hub and spoke config. But I havent had any luck removing the :crypto map from the pix with out reloading the pix with
:clear crypto sa peer xxx.xxx.xxx.xxx
You cannot do it in PIX 6.x without doing the above or other commands that cause the above to be implicitly executed.
:can anyone recommend me a way to clear this from the pix, when i do :show crypto isakmp sa, get the old tunnel as idle. I have ios 6.3.
If you do not clear the SAs after making a crypto map change (including a change to the ACL you used in the element definition), then the behaviour is inconsistant. Cisco documents that you must clear the SAs. Sometimes things will start working without a clear, but more often the PIX gets pretty mixed up.
If you want to minimize disruption when you are working with crypto maps, the recommended procedure is to create a new map with a new name (and with new ACLs referenced if you are making an ACL change), and apply the new map to the appropriate interface. This will result implicitly in the previous SA's being torn down, but at least you do not run into problems with incomplete maps or odd SA behaviour. Once the new map is active, you can remove the old one.
If you are trying to edit a crypto map ACL over the VPN created by virtue of that ACL, then there is no manual way to do it without losing your connection temporarily. This includes using "config net" to bring in the new config: you *will* need to break the active tunnel you are using in order to update it, and unless the systems are quite close together, chances are that the tftp will time out before the tunnel comes up. Using the new map procedure
-minimizes- the break, but does not eliminate it.
If you need to edit a crypto map ACL over the VPN created by virtue of that ACL, then the only "safe" ways are to use Cisco Works, SolSoft, or -possibly- PDM. All three of those hook in through "back doors", not talking directly to the CLI. I don't know what that back-door API can or cannot do, so I wouldn't want to trust any of these three without testing.
THanks, I guess it worked after clear crypto isakmp sa and rebooting
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.