Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
796
Views
5
Helpful
5
Replies

ipsec tunnel

cheungkfk
Level 1
Level 1

‎04-03-2007 07:01 PM - edited ‎02-21-2020 02:57 PM

Pls see my PIX version and the Hardware details below:

Cisco PIX Firewall Version 6.3(5)

Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz

Flash E28F128J3 @ 0x300, 16MB

I added a host on the IPsec tunnel, run the following command:

FW# sh crypto ipsec sa | be HTX0062-NAT

local ident (addr/mask/prot/port): (HTX0062-NAT/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (195.140.250.0/255.255.255.240/0/0)

current_peer: CERNER-NAT:0

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 206.5.104.10, remote crypto endpt.: CERNER-NAT

path mtu 1500, ipsec overhead 0, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

But, the remote end was unable to initiate a connection.

My senior colleage said I have to reset the tunnel to get it working. I just want to know whether IT IS RIGHT or NOT.

Regards

Kelvin Cheung

Labels:
0 Helpful
5 Replies 5

jeremyarcher
Level 1
Level 1

‎04-04-2007 06:24 PM

Yes, often you'll have to reset the tunnel if you change the crypto map.

0 Helpful

cheungkfk
Level 1
Level 1
In response to jeremyarcher

‎04-16-2007 03:26 PM

I can't see my last post so I post it again.

I added a host on the existing ACL for the crypto map.

It did NOT work. Do I need to reset the IPsec tunnel?

Thanks....

Kelvin Cheung

0 Helpful

jmia
Level 7
Level 7
In response to cheungkfk

‎04-16-2007 09:59 PM

Kelvin,

Yes, clear the existing tunnel -

In config mode:

clear isakmp sa

clear ipsec sa

The above will drop any existing tunnels, to rebuild the tunnel just ping your remote internal peer ip from your intrenal ip range.

Hope this helps and please rate posts!

cheungkfk
Level 1
Level 1
In response to jmia

‎04-17-2007 06:21 PM

Dear Jay Mia

First of all, thanks for your reply.

The command "clear isakmp sa" and "clear ipsec sa" will NOT delete any PIX configurations???

Regards

Kelvin Cheung

0 Helpful

jmia
Level 7
Level 7
In response to cheungkfk

‎04-17-2007 09:52 PM

Hi Kelvin,

No, by using "clear isakmp sa" and "clear ipsec sa" it will NOT delete any configuration.

The above commands ONLY resets the SA tables for both ISAKMP and IPSec.

Hope this helps and please rate posts!!

Jay

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents