Re: PIX 501 to PIX 515 IPSec VPN failure, when the 515 already has a VPN

["Jerry B. Altzman" <jbaltz () altzman com>]

Wow, 3 responses so far!
on 2007-09-12 11:56 Christopher J. Wargaski said the following:
> I have seen this when there is a routing problem. Can the 515 ping the
> outside interface of the 501?

Yes, there is 100% reachability on both sides.

on 2007-09-12 23:08 Glenn Crissman said the following:
> First guess is check your NAT 0 access lists on both sides. If you don't 
> have an acl entry there matching your interesting traffic acl for the 
> 515 / 501 L2L VPN it won't attempt to come up. The PIX will NAT the 
> traffic (or at least attempt to) before it hits the crypto engine.

I've cleared the nat 0 entries on both sides already...I'm reasonably 
sure that's not it. We're not even seeing IPSec try to *start*, basically.

on 2007-09-12 16:38 Julian M. Dragut said the following:
> I've had the same issue with 515 and 2 X 505's running 6.4, and I had
> to remove the crypto map from the 515 before adding the second 505,
> and then re-apply it to the interface.
>
> It looks like the ACL and maps could get corrupted, therefore, before
> adding anything to the crypto map, I always make sure I unbind it,
> make the changes and then rebind it.

This seems like the most likely candidate. We'll have to find time to 
bring down all the VPNs and try rebuilding from scratch.

//jbaltz
-- 
jerry b. altzman        jbaltz () altzman com     www.jbaltz.com
thank you for contributing to the heat death of the universe.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards