clear crypto map in pix

Discussion in 'Cisco' started by jcharth@hotmail.com, Oct 26, 2005.

  1. Guest

    Hello I have several crypto map with the same name but they have 1 2 3
    ....

    I removed one of my crypto maps on one router and the pix to try to
    create a hub and spoke config. But I havent had any luck removing the
    crypto map from the pix with out reloading the pix with

    clear crypto sa peer xxx.xxx.xxx.xxx

    can anyone recommend me a way to clear this from the pix, when i do
    show crypto isakmp sa, get the old tunnel as idle. I have ios 6.3.

    Thanks.
    , Oct 26, 2005
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    :Hello I have several crypto map with the same name but they have 1 2 3

    I take you refer to policy elements within the crypto map. Cisco
    would say that all of those were the same crypto map.

    : I removed one of my crypto maps on one router and the pix to try to
    :create a hub and spoke config. But I havent had any luck removing the
    :crypto map from the pix with out reloading the pix with

    :clear crypto sa peer xxx.xxx.xxx.xxx

    You cannot do it in PIX 6.x without doing the above or other commands
    that cause the above to be implicitly executed.

    :can anyone recommend me a way to clear this from the pix, when i do
    :show crypto isakmp sa, get the old tunnel as idle. I have ios 6.3.

    If you do not clear the SAs after making a crypto map change
    (including a change to the ACL you used in the element definition), then
    the behaviour is inconsistant. Cisco documents that you must clear
    the SAs. Sometimes things will start working without a clear, but
    more often the PIX gets pretty mixed up.

    If you want to minimize disruption when you are working with crypto
    maps, the recommended procedure is to create a new map with a
    new name (and with new ACLs referenced if you are making an ACL change),
    and apply the new map to the appropriate interface. This will result
    implicitly in the previous SA's being torn down, but at least you do
    not run into problems with incomplete maps or odd SA behaviour.
    Once the new map is active, you can remove the old one.


    If you are trying to edit a crypto map ACL over the VPN created
    by virtue of that ACL, then there is no manual way to do it without
    losing your connection temporarily. This includes using
    "config net" to bring in the new config: you *will* need to break
    the active tunnel you are using in order to update it, and unless
    the systems are quite close together, chances are that the tftp will
    time out before the tunnel comes up. Using the new map procedure
    -minimizes- the break, but does not eliminate it.

    If you need to edit a crypto map ACL over the VPN created by virtue
    of that ACL, then the only "safe" ways are to use Cisco Works,
    SolSoft, or -possibly- PDM. All three of those hook in through
    "back doors", not talking directly to the CLI. I don't know what
    that back-door API can or cannot do, so I wouldn't want to trust
    any of these three without testing.
    --
    Okay, buzzwords only. Two syllables, tops. -- Laurie Anderson
    Walter Roberson, Oct 26, 2005
    #2
    1. Advertising

  3. Guest

    THanks, I guess it worked after clear crypto isakmp sa and rebooting
    , Oct 27, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dave Enenkel

    BGP and crypto map

    Dave Enenkel, Nov 10, 2003, in forum: Cisco
    Replies:
    6
    Views:
    960
    Dave Enenkel
    Nov 19, 2003
  2. Martin Bilgrav

    Q: PIX Firewall - Clear crypto ipsec `?

    Martin Bilgrav, Oct 17, 2005, in forum: Cisco
    Replies:
    1
    Views:
    666
    Walter Roberson
    Oct 17, 2005
  3. Markus Marquardt

    PIX 7.0: Using object-group with crypto map

    Markus Marquardt, Jun 8, 2006, in forum: Cisco
    Replies:
    2
    Views:
    1,914
    preeti_pandurangi
    Apr 16, 2007
  4. CeykoVer
    Replies:
    4
    Views:
    488
    CeykoVer
    Nov 16, 2007
  5. Markus Marquardt

    PIX 7.2: no crypto map matching problem

    Markus Marquardt, Jul 9, 2009, in forum: Cisco
    Replies:
    0
    Views:
    1,087
    Markus Marquardt
    Jul 9, 2009
Loading...

Share This Page