We have a Pix to Pix VPN using DES and all works great. EVery so often one enf of the VPN is rebooted or the VPN goes down. It doe snot auto re-establish and I have to clear the crypto sa's on each end to have it re-establish.
How do I have it do this itself in the event of a link loss.
G
To be more specific both PIX's have a connection established but traffic will not pass either way. A rest of the sa's sorts it out.
Gary
:> How do I have it do this itself in the event of a link loss.
:To be more specific both PIX's have a connection established but traffic :will not pass either way. A rest of the sa's sorts it out.
*Eventually* the two ends sort each other out, but it can be a long wait.In my experience, the problem happens only when one of the ends changes IP address. In theory, setting the "identification" to hostname on both ends should eliminate the problem, but sometimes it happens anyhow.
When one end attempts to re-establish communications after a link loss, it is supposed to send a token that means "clear all SA's with this identification". If the identification is based upon IP address and the IP address changed, then there are no SA's for the new address registered at the other machine so no SA's get cleared. That's why using hostname as the ID should work [or so I've reasoned.]
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.