01-29-2008 05:34 AM - edited 03-11-2019 04:55 AM
I have a new site to connect to my main site pix. I have used a SSH connection to change the main site configuration.
When I try and add a new Site to site addition to my crypto map the device immediately loses its internet connection. I then have to get someone on the main site to reboot the device so I can reconnect. The outward Internet connection at the main site also goes down. The VPN client connection, however, is not affected.
All I am doing is trying to add the line below to set up a new entry in my crypto map:
TIP-exx(config)# crypto map TIP_MAP 3 ipsec-isakmp
As shown the config below, the first time I put it in I made a spelling mistake. (TIP-MAP 3)
crypto map TIP_MAP 1 ipsec-isakmp
crypto map TIP_MAP 1 match address 100
crypto map TIP_MAP 1 set peer xxx.xxx.xxx.xxx
crypto map TIP_MAP 1 set transform-set exx
crypto map TIP_MAP 2 ipsec-isakmp
crypto map TIP_MAP 2 match address 101
crypto map TIP_MAP 2 set peer xxx.xxx.xxx.xxx
crypto map TIP_MAP 2 set transform-set exx
crypto map TIP_MAP 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map TIP_MAP interface outside
crypto map TIP-MAP 3 ipsec-isakmp
crypto map TIP-MAP 3 match address 102
crypto map TIP-MAP 3 set peer xxx.xxx.xxx.xxx
crypto map TIP-MAP 3 set transform-set exx
isakmp enable outside
I have set up loads of these connections remotely before and never had a problem adding, deleting crypto maps. Has anyone come accross this?
Many Thanks,
Daniel.
01-29-2008 06:36 AM
Daniel,
I see crypto map "TIP_MAP" and "TIP-MAP". I am sure this is a typo. Anyways, this could be one of the reasons you are having issues. Since, you can apply only one crypto map to the interface, you need to pick one.
Also, can you make sure that you have an access-list configured for the crypto map that you are configuring. Based upon the issue, it looks like there is no match address and all traffic is getting encrypted and that is why you are losing the connection.
Let me know if this fixes the issue.
Regards,
Arul
** Please rate all helpful posts **
01-30-2008 12:36 AM
I tried to explain I was replacing the wrongly entered TIP-MAP 3. Sorry if this wasnt clear.
Anyway going by the further details in your post. When entering a new portion of the crypto map, you have to enter the:
crypto map TIP_MAP 3 match address (access list)
before the:
crypto map TIP_MAP 3 ipsec-isakmp
command. Otherwise all traffic is encrypted?
02-09-2012 01:59 PM
This is a pretty old post but I was having the same issue.
I found that if i removed the crypto map from the outside interface, removed my unwanted cryptos, added my new crypto commands, and then re-applied the mapping, then i had no issues.
In this case:
TIP-exx(config)#no crypto map TIP_MAP interface outside
TIP-exx(config)#no crypto map TIP-MAP 3 ipsec-isakmp
TIP-exx(config)#no crypto map TIP-MAP 3 match address 102
TIP-exx(config)#no crypto map TIP-MAP 3 set peer xxx.xxx.xxx.xxx
TIP-exx(config)#no crypto map TIP-MAP 3 set transform-set exx
TIP-exx(config)# crypto map TIP_MAP 3 ipsec-isakmp
TIP-exx(config)# crypto map TIP_MAP interface outside
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide