In article , John wrote: :Is there a way to query a PIX to see if it has established a tunnel to :another PIX (without simply sending ICMP's or something over the :connection?
Cisco PIX specific issues often get the best response in comp.dcom.sys.cisco.
:I'm working to setup a PIX-PIX vpn, but due to some routing :issues, I won't be able to test for a week or so to verify that the :tunnel has been established.
Up through PIX 6.x, there is no SNMP OID to query the PIX routing tables or to query the PIX VPN tables or even to query the PIX active VPN count. That changed in PIX 7.0(1) which is too new to really trust for production sites.
If you have access to the PIX, via serial console, telnet, or ssh, then show ipsec sa will show you the active Security Associations. But PIX tunnels are normally initiated "on demand" so you would need -some- traffic in order to kick the tunnel. That might be a bit tricky if you can't attach -something- on the right IP range to one of the PIXes.
If you want to test out whether the transforms match up and so on, then what you can do is include in the crypto map match-address ACL the -public- addresses of the peers. Traffic sourced from the PIX itself will be included in the tunnel if you name the outside IPs -- a useful trick if you want the syslogs to go securely. Anyhow, once those are in there, you could ping from the one pix to the other PIX and watch to see if the tunnel gets negotiated properly.