ipsec tunnel

Unanswered Question
Apr 3rd, 2007

Pls see my PIX version and the Hardware details below:

Cisco PIX Firewall Version 6.3(5)

Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz

Flash E28F128J3 @ 0x300, 16MB

I added a host on the IPsec tunnel, run the following command:

FW# sh crypto ipsec sa | be HTX0062-NAT

local ident (addr/mask/prot/port): (HTX0062-NAT/

remote ident (addr/mask/prot/port): (

current_peer: CERNER-NAT:0

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.:, remote crypto endpt.: CERNER-NAT

path mtu 1500, ipsec overhead 0, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

But, the remote end was unable to initiate a connection.

My senior colleage said I have to reset the tunnel to get it working. I just want to know whether IT IS RIGHT or NOT.


Kelvin Cheung

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
jeremyarcher Wed, 04/04/2007 - 18:24

Yes, often you'll have to reset the tunnel if you change the crypto map.

cheungkfk Mon, 04/16/2007 - 15:26

I can't see my last post so I post it again.

I added a host on the existing ACL for the crypto map.

It did NOT work. Do I need to reset the IPsec tunnel?


Kelvin Cheung

cheungkfk Tue, 04/17/2007 - 18:21

Dear Jay Mia

First of all, thanks for your reply.

The command "clear isakmp sa" and "clear ipsec sa" will NOT delete any PIX configurations???


Kelvin Cheung


This Discussion