Firewall Wizards mailing list archives
Re: PIX 501 to PIX 515 IPSec VPN failure, when the 515 already has a VPN
From: "Jerry B. Altzman" <jbaltz () altzman com>
Date: Sat, 15 Sep 2007 21:24:50 -0400
Wow, 3 responses so far! on 2007-09-12 11:56 Christopher J. Wargaski said the following:
I have seen this when there is a routing problem. Can the 515 ping the outside interface of the 501?
Yes, there is 100% reachability on both sides. on 2007-09-12 23:08 Glenn Crissman said the following:
First guess is check your NAT 0 access lists on both sides. If you don't have an acl entry there matching your interesting traffic acl for the 515 / 501 L2L VPN it won't attempt to come up. The PIX will NAT the traffic (or at least attempt to) before it hits the crypto engine.
I've cleared the nat 0 entries on both sides already...I'm reasonably sure that's not it. We're not even seeing IPSec try to *start*, basically. on 2007-09-12 16:38 Julian M. Dragut said the following:
I've had the same issue with 515 and 2 X 505's running 6.4, and I had to remove the crypto map from the 515 before adding the second 505, and then re-apply it to the interface. It looks like the ACL and maps could get corrupted, therefore, before adding anything to the crypto map, I always make sure I unbind it, make the changes and then rebind it.
This seems like the most likely candidate. We'll have to find time to bring down all the VPNs and try rebuilding from scratch. //jbaltz -- jerry b. altzman jbaltz () altzman com www.jbaltz.com thank you for contributing to the heat death of the universe. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX 501 to PIX 515 IPSec VPN failure, when the 515 already has a VPN Jerry B. Altzman (Sep 12)
- Re: PIX 501 to PIX 515 IPSec VPN failure, when the 515 already has a VPN Glenn Crissman (Sep 13)
- Re: PIX 501 to PIX 515 IPSec VPN failure, when the 515 already has a VPN Julian M. Dragut (Sep 13)
- Re: PIX 501 to PIX 515 IPSec VPN failure, when the 515 already has a VPN Christopher J. Wargaski (Sep 13)
- Re: PIX 501 to PIX 515 IPSec VPN failure, when the 515 already has a VPN Jerry B. Altzman (Sep 17)