04-07-2009 07:24 AM
I have a vpn tunnel configured between a pix 501 and 7200 router. The tunnel works fine until at some point during the day it stops working and am unable to bring it back up unless I clear out all the sa's on both sides. The tunnel then comes back up. I have included debugs from both ends and the relevant configuration. Any help would be appreciated. Thanks.
04-07-2009 08:32 AM
I changed the p2 lifetime on router to 28800 to match pix. We'll see what happens.
04-08-2009 07:05 AM
Ok, so the tunnel is failing once phase 1 times out. It is attempting to rekey but the router is using the wrong isakmp profile/keyring. Therefore the pre-shared keys aren't matching.
ISAKMP: Looking for a matching key for 99.36.x.x in default
ISAKMP: Looking for a matching key for 99.36.x.x in location1
ISAKMP: Looking for a matching key for 99.36.x.x in location2
ISAKMP: Looking for a matching key for 99.36.x.x in location3
ISAKMP: Looking for a matching key for 99.36.x.x in location4
ISAKMP: Looking for a matching key for 99.36.x.x in location5
ISAKMP: Looking for a matching key for 99.36.x.x in location6
ISAKMP: Looking for a matching key for 99.36.x.x in location7
ISAKMP: Looking for a matching key for 99.36.x.x in location8
ISAKMP: Looking for a matching key for 99.36.x.x in location9
ISAKMP: Looking for a matching key for 99.36.x.x in location10 : success
The problem here is it should match "location12".
Here is my keyring config.
crypto keyring location1
pre-shared-key address 72.x.x.x key *
crypto keyring location2
pre-shared-key address 75.x.x.x key *
crypto keyring location3
pre-shared-key address 99.x.x.x key *
crypto keyring location4
pre-shared-key address 12.x.x.x key *
crypto keyring location5
pre-shared-key address 216.x.x.x key *
crypto keyring location6
pre-shared-key address 151.x.x.x key *
crypto keyring location7
pre-shared-key address 72.x.x.x key *
crypto keyring location8
pre-shared-key address 71.x.x.x key *
crypto keyring location9
pre-shared-key address 98.x.x.x key *
crypto keyring location10
pre-shared-key address 0.0.0.0 0.0.0.0 key *
crypto keyring location11
pre-shared-key address 70.x.x.x key *
crypto keyring location12
pre-shared-key address 99.36.x.x key *
I suppose this is happening because it matches "0.0.0.0 0.0.0.0" before it gets to 99.36.x.x. If this is the case, why does the tunnel ever come up in the first place? Do I have to move the "location10" keyring to the bottom of the list?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: