Unanswered Question
Mar 13th, 2008

We need to change the IP address of our PIX firewall. We have almost 50 vpn tunnels (pre-dominantly PIX 501s) pointing towards our PIX515. Most tunnels are using crypto maps with access-lists and pre-shared keys . We need to set up the remote PIXes in advance so that the VPNs come back up after the IP address change. I've been able to get this to work with ASA5505s on the remote side. The new tunnels form automatically when the primary tunnel drops. However when we use PIX 501s, the new tunnel doesn't form until we clear the security association on the remote side. Is there any configuration which will allow us to have the tunnel failover to the new IP address?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Herbert Baerten Fri, 03/14/2008 - 04:55

I think "isakmp keepalive seconds [retry_seconds]" should help.

e.g. isakmp keepalive 10


This Discussion