Hi,
I have a setup where several site-to-site tunnels are not reestablished after af reboot or power failure of our PIX 501. The only solution is to power circle/flush VPN tunnels on the remote ends. I would expect the Pix to notify the remote ends whenever tunnels are no longer valid so that new tunnels can be negotiated. What is the expected behavior, and is there a possible workaround?
yours Truly Søren Gellert
Are you using crypto dynamic map or static crypto maps?
Do the 501's have fixed IP addresses? If not, do they tend to get a new IP address when the 501s are rebooted/power-failed ?
Which are you using: isakmp identity hostname or isakmp identity address ?
Den Thu, 01 Jun 2006 16:54:05 +0000. skrev Walter Roberson:
I am no pix expert. I am hoping the following output may clear it up:
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer ScanC-pix crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map 20 set security-association lifetime seconds 72000 kilobytes 4608000 crypto map outside_map 30 ipsec-isakmp crypto map outside_map 30 match address IPSEC_30 crypto map outside_map 30 set peer AirG-pix crypto map outside_map 30 set transform-set ESP-DES-SHA crypto map outside_map 50 ipsec-isakmp crypto map outside_map 50 match address outside_cryptomap_50 crypto map outside_map 50 set peer paas_is_gw crypto map outside_map 50 set transform-set ESP-3DES-MD5 crypto map outside_map 70 ipsec-isakmp crypto map outside_map 70 match address outside_cryptomap_70 crypto map outside_map 70 set peer paas_is_gw crypto map outside_map 70 set transform-set ESP-3DES-MD5 crypto map outside_map 90 ipsec-isakmp crypto map outside_map 90 match address outside_cryptomap_90 crypto map outside_map 90 set peer paas_se_gw crypto map outside_map 90 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside
I have fixed IP addresses all around
Identity address
/yours truly Søren Gellert
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.