VPN Not Routing, Reboot Fixes it.
in [Cisco]
|
From: Artie Lange on 16 Jul 2008 15:24 scooter133(a)gmail.com wrote: > On Jul 16, 11:42 am, Artie Lange <spam...(a)jamiebaillie.net> wrote: > >> I do not see 'crypto ipsec security-association lifetime seconds 3600' >> in the far end PIX- Hide quoted text - >> >> - Show quoted text - > > Hmmm... > > I added it to moonrazor and it dumped the VPN, reconnected and it > added the following: > crypto dynamic-map dynmap 10 set security-association lifetime seconds > 28800 > crypto map outside-SF_map 20 set security-association lifetime seconds > 28800 > > I do not see something similar on the HQ PIX... > SHould there be? > > Thank you! That setting tells the firewall how long the SA is to be active before it rebuilds a new one, in my opinion, they need to match on both sides. I would say that would be a good place to start.
From: scooter133 on 16 Jul 2008 16:07 On Jul 16, 12:24 pm, Artie Lange <spam...(a)jamiebaillie.net> wrote: > scooter...(a)gmail.com wrote: > > On Jul 16, 11:42 am, Artie Lange <spam...(a)jamiebaillie.net> wrote: > > >> I do not see 'crypto ipsec security-association lifetime seconds 3600' > >> in the far end PIX- Hide quoted text - > > >> - Show quoted text - > > > Hmmm... > > > I added it to moonrazor and it dumped the VPN, reconnected and it > > added the following: > > crypto dynamic-map dynmap 10 set security-association lifetime seconds > > 28800 > > crypto map outside-SF_map 20 set security-association lifetime seconds > > 28800 > > > I do not see something similar on the HQ PIX... > > SHould there be? > > > Thank you! > > That setting tells the firewall how long the SA is to be active before > it rebuilds a new one, in my opinion, they need to match on both sides. > I would say that would be a good place to start.- Hide quoted text - > > - Show quoted text - Well I'll let it sit and see how it goes. Its just odd that the VPN is up and works from the Subnets that are connected Directly to the Inside ports of the PIXs. Jsut not the one 1 hop away... I know that it works as its the VPN that letting me get it it to reprogram it.. (-; Thanks again,
From: alexd on 17 Jul 2008 16:31 On Wed, 16 Jul 2008 13:07:14 -0700, scooter133 wrote: > Its just odd that the VPN is up and works from the Subnets that are > connected Directly to the Inside ports of the PIXs. Jsut not the one 1 > hop away... Does the PIX know where the subnet one hop away is? -- <http://ale.cx/> (AIM:troffasky) (UnSoEsNpEaTm(a)ale.cx) 21:30:05 up 6 days, 5 min, 3 users, load average: 0.00, 0.06, 0.06 Convergence, n: The act of using separate DSL circuits for voice and data
From: jcle on 19 Jul 2008 23:23 sounds to me like either your phase 1 and/or phase2 lifetimes are off if these do not match your vpn tunnel will come up then one pix with think it is time to rekey or renegiote sas and the other will not causing the vpn to go down. the reboot resets the whole tunnel and the lifetimes start a 0 again. make sure the following match for each vpn on both sides phase 1: isakmp policy (priority) lifetime (value is seconds) the default I 86400 I believe phase 2: crypto map (name) (priority) security-association lifetime (value in seconds) I belive this to be 3600 if phase 2 is set to the default I believe it will not show up in the config alexd wrote: > On Wed, 16 Jul 2008 13:07:14 -0700, scooter133 wrote: > > > Its just odd that the VPN is up and works from the Subnets that are > > connected Directly to the Inside ports of the PIXs. Jsut not the one 1 > > hop away... > > Does the PIX know where the subnet one hop away is? > > -- > <http://ale.cx/> (AIM:troffasky) (UnSoEsNpEaTm(a)ale.cx) > 21:30:05 up 6 days, 5 min, 3 users, load average: 0.00, 0.06, 0.06 > Convergence, n: The act of using separate DSL circuits for voice and data
From: thejayman on 21 Jul 2008 03:12 What Happens if you use the command "clear ipsec sa" when it stops routing? Does the routing return? If not try "clear isakmp sa" this might point you to what part is incorrect.
First
|
Prev
|
Pages: 1 2 Prev: Error unsupported TCAM value size Next: Serial ports up, but multilink down |