Pix Has Gone Barmy

danparsons · ‎01-29-2008

I have a new site to connect to my main site pix. I have used a SSH connection to change the main site configuration.

When I try and add a new Site to site addition to my crypto map the device immediately loses its internet connection. I then have to get someone on the main site to reboot the device so I can reconnect. The outward Internet connection at the main site also goes down. The VPN client connection, however, is not affected.

All I am doing is trying to add the line below to set up a new entry in my crypto map:

TIP-exx(config)# crypto map TIP_MAP 3 ipsec-isakmp

As shown the config below, the first time I put it in I made a spelling mistake. (TIP-MAP 3)

crypto map TIP_MAP 1 ipsec-isakmp

crypto map TIP_MAP 1 match address 100

crypto map TIP_MAP 1 set peer xxx.xxx.xxx.xxx

crypto map TIP_MAP 1 set transform-set exx

crypto map TIP_MAP 2 ipsec-isakmp

crypto map TIP_MAP 2 match address 101

crypto map TIP_MAP 2 set peer xxx.xxx.xxx.xxx

crypto map TIP_MAP 2 set transform-set exx

crypto map TIP_MAP 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map TIP_MAP interface outside

crypto map TIP-MAP 3 ipsec-isakmp

crypto map TIP-MAP 3 match address 102

crypto map TIP-MAP 3 set peer xxx.xxx.xxx.xxx

crypto map TIP-MAP 3 set transform-set exx

isakmp enable outside

I have set up loads of these connections remotely before and never had a problem adding, deleting crypto maps. Has anyone come accross this?

Many Thanks,

Daniel.

ajagadee · ‎01-29-2008

Daniel,

I see crypto map "TIP_MAP" and "TIP-MAP". I am sure this is a typo. Anyways, this could be one of the reasons you are having issues. Since, you can apply only one crypto map to the interface, you need to pick one.

Also, can you make sure that you have an access-list configured for the crypto map that you are configuring. Based upon the issue, it looks like there is no match address and all traffic is getting encrypted and that is why you are losing the connection.

Let me know if this fixes the issue.

Regards,

Arul

** Please rate all helpful posts **

danparsons · ‎01-30-2008

I tried to explain I was replacing the wrongly entered TIP-MAP 3. Sorry if this wasnt clear.

Anyway going by the further details in your post. When entering a new portion of the crypto map, you have to enter the:

crypto map TIP_MAP 3 match address (access list)

before the:

crypto map TIP_MAP 3 ipsec-isakmp

command. Otherwise all traffic is encrypted?

Dustin Harrig · ‎02-09-2012

This is a pretty old post but I was having the same issue.

I found that if i removed the crypto map from the outside interface, removed my unwanted cryptos, added my new crypto commands, and then re-applied the mapping, then i had no issues.

In this case:

TIP-exx(config)#no crypto map TIP_MAP interface outside

TIP-exx(config)#no crypto map TIP-MAP 3 ipsec-isakmp

TIP-exx(config)#no crypto map TIP-MAP 3 match address 102

TIP-exx(config)#no crypto map TIP-MAP 3 set peer xxx.xxx.xxx.xxx

TIP-exx(config)#no crypto map TIP-MAP 3 set transform-set exx

TIP-exx(config)# crypto map TIP_MAP 3 ipsec-isakmp

TIP-exx(config)# crypto map TIP_MAP interface outside