PIX 501 VPN tunnels no automatic reestablishing after power failure

Discussion in 'Cisco' started by gellert, Jun 1, 2006.

  1. gellert

    gellert Guest

    Hi,

    I have a setup where several site-to-site tunnels are not reestablished
    after af reboot or power failure of our PIX 501. The only solution is to
    power circle/flush VPN tunnels on the remote ends. I would expect the Pix
    to notify the remote ends whenever tunnels are no longer valid so that new
    tunnels can be negotiated. What is the expected behavior, and is there a
    possible workaround?

    yours Truly
    Søren Gellert
    gellert, Jun 1, 2006
    #1
    1. Advertising

  2. In article <>,
    gellert <> wrote:
    >I have a setup where several site-to-site tunnels are not reestablished
    >after af reboot or power failure of our PIX 501. The only solution is to
    >power circle/flush VPN tunnels on the remote ends. I would expect the Pix
    >to notify the remote ends whenever tunnels are no longer valid so that new
    >tunnels can be negotiated. What is the expected behavior, and is there a
    >possible workaround?


    Are you using crypto dynamic map or static crypto maps?

    Do the 501's have fixed IP addresses? If not, do they tend to get
    a new IP address when the 501s are rebooted/power-failed ?

    Which are you using: isakmp identity hostname or isakmp identity address ?
    Walter Roberson, Jun 1, 2006
    #2
    1. Advertising

  3. gellert

    gellert Guest

    Den Thu, 01 Jun 2006 16:54:05 +0000. skrev Walter Roberson:

    > In article <>,
    > gellert <> wrote:
    >>I have a setup where several site-to-site tunnels are not reestablished
    >>after af reboot or power failure of our PIX 501. The only solution is to
    >>power circle/flush VPN tunnels on the remote ends. I would expect the Pix
    >>to notify the remote ends whenever tunnels are no longer valid so that new
    >>tunnels can be negotiated. What is the expected behavior, and is there a
    >>possible workaround?

    >
    > Are you using crypto dynamic map or static crypto maps?
    >

    I am no pix expert. I am hoping the following output may clear it up:

    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer ScanC-pix
    crypto map outside_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 20 set security-association lifetime seconds 72000 kilobytes 4608000
    crypto map outside_map 30 ipsec-isakmp
    crypto map outside_map 30 match address IPSEC_30
    crypto map outside_map 30 set peer AirG-pix
    crypto map outside_map 30 set transform-set ESP-DES-SHA
    crypto map outside_map 50 ipsec-isakmp
    crypto map outside_map 50 match address outside_cryptomap_50
    crypto map outside_map 50 set peer paas_is_gw
    crypto map outside_map 50 set transform-set ESP-3DES-MD5
    crypto map outside_map 70 ipsec-isakmp
    crypto map outside_map 70 match address outside_cryptomap_70
    crypto map outside_map 70 set peer paas_is_gw
    crypto map outside_map 70 set transform-set ESP-3DES-MD5
    crypto map outside_map 90 ipsec-isakmp
    crypto map outside_map 90 match address outside_cryptomap_90
    crypto map outside_map 90 set peer paas_se_gw
    crypto map outside_map 90 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside

    > Do the 501's have fixed IP addresses? If not, do they tend to get
    > a new IP address when the 501s are rebooted/power-failed ?
    >

    I have fixed IP addresses all around

    > Which are you using: isakmp identity hostname or isakmp identity address ?


    Identity address

    /yours truly
    Søren Gellert
    gellert, Jun 2, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JohnC
    Replies:
    2
    Views:
    4,074
    Walter Roberson
    Nov 23, 2004
  2. PIX-501 VPN Tunnels

    , Jul 2, 2005, in forum: Cisco
    Replies:
    1
    Views:
    549
    Walter Roberson
    Jul 2, 2005
  3. ljorg
    Replies:
    0
    Views:
    457
    ljorg
    Nov 22, 2006
  4. philbo30
    Replies:
    1
    Views:
    629
    Walter Roberson
    Apr 12, 2007
  5. eaperezh
    Replies:
    1
    Views:
    2,543
    eaperezh
    Jul 23, 2007
Loading...

Share This Page