Prev: Simple virtual NAT question
Next: FLASH Write Error #5 on Aironet 350
From: Porch on 9 Nov 2006 16:45
I am upgrading a Pix 515E to 7.2 from 6.3. I converted the config and
it loads without error. But I am having issues with the VPN tunnel.
The Pix 515E connects to several Pix 501 (6.3 still) over a IPSec
tunnel.

The issue with the new 7.2 is that only a ping will bring up the VPN
tunnel. If I attempt to connect over SSH, HTTP, or any other method, I
just get the error below.

IKE Initiator unable to find policy: Intf 1, Src: 172.16.100.1, Dst:
172.20.113.20

Here are the good lines.


access-list 113_ipsec permit ip 172.30.0.0 255.255.0.0 172.20.113.0
255.255.255.0

access-list 113_ipsec permit ip 172.16.100.0 255.255.255.0 172.20.113.0
255.255.255.0


crypto map ToStore 113 ipsec-isakmp


crypto map ToStore 113 match address 113_ipsec


crypto map ToStore 113 set peer store113ip


crypto map ToStore 113 set transform-set strong


If I am at host 172.20.113.20, and I try to ssh to host 172.16.100.1,
it will time out and I will see the IKE error on the pix.
If I ping from host 172.20.113.20 to host, 172.16.100.1, after a
second, the connection will work.
At that point on, I can ssh in and do everything else like normal.
Until something times out in an hour and the tunnel drops. At that
point, I have to ping again.

This is the same crypto map I used in 6.3 and it did not have this
problem. What is going on?

Thanks for any help.
-Porch

 | 
Pages: 1
Prev: Simple virtual NAT question
Next: FLASH Write Error #5 on Aironet 350