PIX VPN wont re-establish when peer IP has changed.

Unanswered Question
Feb 13th, 2007

I have a PIX501 at a remote site (213.x.x.186).

I had to install a Linksys VPN router at another remote site and VPN between the two.

I configured the Linksys in my office on a static IP (84.x.x.14) and remotely configured the PIX, i got these working fine.

I have since installed the Linksys at the other remote site and changed the static IP (213.x.x.235).

On the PIX i reconfigured:

crypto map transam 1 set peer 213.x.x.235

isakmp key ******** address 213.x.x.235 netmask 255.255.255.255 no-xauth no-config-mode.

On the pix "show crypto ipsec sa" shows:

interface: outside

Crypto map tag: transam, local addr. 213.x.x.186

local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

current_peer: 84.x.x.14:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 88, #pkts encrypt: 88, #pkts digest 88

#pkts decaps: 83, #pkts decrypt: 83, #pkts verify 83

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 213.x.x.186, remote crypto endpt.: 84.x.x.14

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

This output shows the connection to my office still, and the Linksys connected in the remote site will not re-establish a connection.

show crypto isakmp sa shows:

Total : 1

Embryonic : 0

dst src state pending created

213.x.x.186 213.x.x.235 QM_IDLE 0 0

I've tried clearing this entry with "clear crypto ipsec sa peer" and it will not disappear and reestablish with the new configuration.

Can anyone throw me some suggestions?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Kamal Malhotra Tue, 02/13/2007 - 13:07

Hi,

When you do 'show cryptoo map' you should see something like :

crypto map transam interface

do a

no crypto map transam interface

and

crypto map transam interface

It should resolve the problem. Please do not forget to clear the SAs.

HTH,

Kamal

d.bigerstaff Wed, 02/14/2007 - 03:42

Thanks for your help,

The issue actually turned out to be my boss changing the local subnet on the Linksys to be 192.168.101.0 , when it was initially 192.168.1.0.

I only changed the access-lists on the PIX but also needed to change local secure group on the PIX.

Thanks anyways mate.

Actions

This Discussion