p.bryliov Tue, 07/08/2008 - 04:21

Yes I have active vpn tunnels on my PIX. How it can influence to my scheme?

p.bryliov Tue, 07/08/2008 - 18:47

PIX 515E

Cisco PIX Security Appliance Software Version 7.0(1)

a.alekseev Tue, 07/08/2008 - 03:48

debug crypto ipsec

debug crypto isakmp

no access-list 120

access-list 120 permit ip host host

no ip access-list extended VPN

ip access-list extended VPN

permit ip host host

p.bryliov Tue, 07/08/2008 - 04:45

I have attached debug without deleting access-list. After deleting access-list on c2811 vpn tunnel rised up. Bat atfter I reload c871 and vpn again not rising up from c2811

a.alekseev Tue, 07/08/2008 - 04:52

so... Was it working?

try to add on both sides

ctypto isakmp keepalive 10

crypto isakmp invalid-spi-recovery

after that do

clear crypto sa

clear crypto isa sa

p.bryliov Wed, 07/09/2008 - 00:05

Yes I have read this guid and this confuse me

If an IKE SA is being initiated to notify an IPSec peer of an "Invalid SPI" error, there is the risk that a denial-of-service (DoS) attack can occur. The feature has a built-in mechanism to minimize such a risk, but because there is a risk, the feature is not enabled by default. You must enable the command using command-line interface (CLI).

Can vpn work without crypto isakmp invalid-spi-recovery? I think c871 don't detect NAT


This Discussion