Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

PIX Crypto Tunnel Selection

Unanswered Question
Dec 3rd, 2007
User Badges:

I'm troubleshooting a site-to-site VPN tunnel between our Cat 6506 w/ VPN module to peer's PIX-515. The peer's crypto config appears to be incorrect and has two tunnels built between it and our VPN module.



crypto map mymap 1 match address acl1

crypto map mymap 1 set peer

crypto map mymap 1 set transform-set myset

crypto map mymap 2 match address acl2

crypto map mymap 2 set peer

crypto map mymap 2 set transform-set myset

access-list acl1 permit ip

access-list acl2 permit ip host


My question is how does the PIX determine which crypto peer (and subsequent SA) to send a packet to? In this example if a packet is sent from to, does it match acl1 because it is sequentially higher than the next peer, or does it match acl2 because it is the longest-match for that packet?

I've tried looking through Cisco's website and documentation, but I cannot find the order of precedence for crypto tunnels and how packets are selected/sent.

Anyone here know?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ccbootcamp Mon, 12/03/2007 - 13:23
User Badges:
  • Gold, 750 points or more

If memory servers, I believe the lower map statement has priority. Therefore, everything going from /8 to /8 will be encrypted using the first mymap statement...however, both remote peers and transform sets are the same, so I'm not sure what you're trying to accomplish here.



(please rate the post if this helps!)

jbalchunas Mon, 12/03/2007 - 13:59
User Badges:

The second crypto map statement should not be configured and is being removed. That is the first thing we identified on the peer that needed to be changed. I know that over-lapping networks can cause SPI errors (which is something we are seeing on our end), hence the reason we're troubleshooting.


This Discussion