IPSEC tunnel issue on Pix 7x and ASA 7.2(2) ver

Unanswered Question
Oct 15th, 2007

Hi,

I have been facing ipsec vpn tunnel issue on upgrading my pix 535 from 6.3(5) to 7x .I am having 20 odd site to site vpn tunnels configured on my pix. Problem is that all of sudden data stops transferring through tunnel. If I check the status of ipsec vpn tunnel by

sh crypto isakmp sa

sh crypto ipsec sa

sh crypto isakmp detail

,it shows me up and connected. Cisco recommended to check with ASA.I got ASA 5520 installed with ver 7.2(2). I observed same problem 3 times in 1 week. Has anybody else observed same issue. Need solution.

Thanks in advance

regards

Sachin Verma

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
didyap Fri, 10/19/2007 - 09:38

Check if you have these commands in the config of PIX after the upgrade, if not add them manually

tunnel-group group1 type ipsec-ra

tunnel-group group1 general-attributes

address-pool pool1

tunnel-group group1 ipsec-attributes

pre-shared-key mypassword

Following links may help you

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml

http://www.cisco.com/en/US/docs/security/asa/asa70/pix_upgrade/upgrade/guide/pixupgrd.html

bdantzig Fri, 10/19/2007 - 16:08

I had a similar problem with pix501 6.3(5) doing easy VPN to ASA5520 7.1 active/passive HA. Periodically several sites would stop communicating.

TAC was unable to give an answer for many months. They finally suggested we move to 7.2(19) at least until 8.x has been in the field long enough to make sure it's stable.

We upgraded to 7.2.19 on a single non HA 5510. No more problems. We have also converted most sites to site2site VPN. We have not yet moved back to the 5520 HA pair but will try that in the future.

azore2007 Wed, 10/31/2007 - 03:21

Hi

I'm having the same problem here

Went from 6.3(5)to 7.22 and having major issues with my old VPN tunnels..

This is very strange since I did the exact same thing with my other pix firewall 1 month ago and it worked very well...

I have compared the configs and its nothing wrong with them... Some tunnels just keep dying on me

Have to downgrade tonight id guess, thought about going up to pix 8.x release to see if the problem still exists or not

lmanaughkcc Thu, 11/01/2007 - 15:59

I had the same issues when going form 506e 6.3(5) to ASA 7.2(2). The config was the same and I spent several days with an open TAC request. The tech asked me to enter:

sysopt connection permit-ipsec

and that did it they all started talking. I have no idea why it didn't stick when I entered it the first time and it doesn't show in a sh run. but it got all the connections working.

sachin.verma Thu, 11/01/2007 - 23:26

Hi,

Did your tunnels stopped passing traffic intermittently after upgrading to ASA 7.2(2) and or they were dying after upgradation. Since how long your tunnels are up after issuing command

sysopt connection permit-ipsec

regards

Sachin Verma

lmanaughkcc Fri, 11/02/2007 - 03:40

They are still up. Some tunnels were intermittently up and one was up all the time of the 15. I have noticed that they can grow stale and I believe there is a command to fix that as well, I just don't remember what it is.

Actions

This Discussion