Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > clear crypto map in pix

Reply
Thread Tools

clear crypto map in pix

 
 
jcharth@hotmail.com
Guest
Posts: n/a
 
      10-26-2005
Hello I have several crypto map with the same name but they have 1 2 3
....

I removed one of my crypto maps on one router and the pix to try to
create a hub and spoke config. But I havent had any luck removing the
crypto map from the pix with out reloading the pix with

clear crypto sa peer xxx.xxx.xxx.xxx

can anyone recommend me a way to clear this from the pix, when i do
show crypto isakmp sa, get the old tunnel as idle. I have ios 6.3.

Thanks.

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      10-26-2005
In article <(E-Mail Removed). com>,
<(E-Mail Removed)> wrote:
:Hello I have several crypto map with the same name but they have 1 2 3

I take you refer to policy elements within the crypto map. Cisco
would say that all of those were the same crypto map.

: I removed one of my crypto maps on one router and the pix to try to
:create a hub and spoke config. But I havent had any luck removing the
:crypto map from the pix with out reloading the pix with

:clear crypto sa peer xxx.xxx.xxx.xxx

You cannot do it in PIX 6.x without doing the above or other commands
that cause the above to be implicitly executed.

:can anyone recommend me a way to clear this from the pix, when i do
:show crypto isakmp sa, get the old tunnel as idle. I have ios 6.3.

If you do not clear the SAs after making a crypto map change
(including a change to the ACL you used in the element definition), then
the behaviour is inconsistant. Cisco documents that you must clear
the SAs. Sometimes things will start working without a clear, but
more often the PIX gets pretty mixed up.

If you want to minimize disruption when you are working with crypto
maps, the recommended procedure is to create a new map with a
new name (and with new ACLs referenced if you are making an ACL change),
and apply the new map to the appropriate interface. This will result
implicitly in the previous SA's being torn down, but at least you do
not run into problems with incomplete maps or odd SA behaviour.
Once the new map is active, you can remove the old one.


If you are trying to edit a crypto map ACL over the VPN created
by virtue of that ACL, then there is no manual way to do it without
losing your connection temporarily. This includes using
"config net" to bring in the new config: you *will* need to break
the active tunnel you are using in order to update it, and unless
the systems are quite close together, chances are that the tftp will
time out before the tunnel comes up. Using the new map procedure
-minimizes- the break, but does not eliminate it.

If you need to edit a crypto map ACL over the VPN created by virtue
of that ACL, then the only "safe" ways are to use Cisco Works,
SolSoft, or -possibly- PDM. All three of those hook in through
"back doors", not talking directly to the CLI. I don't know what
that back-door API can or cannot do, so I wouldn't want to trust
any of these three without testing.
--
Okay, buzzwords only. Two syllables, tops. -- Laurie Anderson
 
Reply With Quote
 
 
 
 
jcharth@hotmail.com
Guest
Posts: n/a
 
      10-27-2005
THanks, I guess it worked after clear crypto isakmp sa and rebooting

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PIX 7.2: no crypto map matching problem Markus Marquardt Cisco 0 07-09-2009 03:08 PM
PIX 6.3 Site-toSite Connection - Just adding to crypto map problem CeykoVer Cisco 4 11-16-2007 08:40 PM
PIX 7.0: Using object-group with crypto map Markus Marquardt Cisco 2 04-16-2007 05:21 PM
Q: PIX Firewall - Clear crypto ipsec `? Martin Bilgrav Cisco 1 10-17-2005 02:28 PM
PIX - Can extended ACL's be used as crypto ACL's on a PIX Shad T Cisco 0 06-29-2004 06:27 PM



Advertisments