L2L between pix and vpn concentrator 3000 doesn't initiate

Unanswered Question
Feb 11th, 2010

Hi everyone,

On my pix, I have 2 tunnels which has been already set up.

I'm currently trying to create a third one between a PIX 515 and a VPN Concentrator 3000.

I used the ASDM Site-to-Site Wizard to create the tunnel. But when I applied the changes, nothing's happened. On the VPN Concentrator 3000's side, the tunnel was enabled (the checkbox Enabled is enable).

The pix didn't start initiating the tunnel. I had to restart the pix manually and then, it tried to create the tunnel. Each time I changed something about the configuration of this tunnel, i had to reload the pix configuration. 

I know that we have these command:

clear crypto isakmp

clear crypto ipsec

and I tried also to disable the crypto map on the outside interface and then enabled it again, thanks to these command:

no crypto map outside_map interface outside

crypto map outside_map interface outside

But nothing happened. Nothing appeared in the log. 

So my question is the following: Are there other commands which can help me to apply changes I brought to a tunnel configuration (without restarting manually)? Or to force the pix to initiate the tunnel with the new settings?

Thanks in advance for your help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Diego Armando C... Thu, 02/11/2010 - 12:45

In a Pix you don have to apply changes like in an IPS.

As soon as you configure everything and you apply de crypto map on the interfaces traffic should be allow to pass. Send us the config and we will tell u if something is wrong.

johnd2310 Thu, 02/11/2010 - 15:56

Hi,

When you create the tunnels, try to generate some traffic between the two networks and then check your crypto isakmp and crypto ipsec sa. You can also enable debug crypto isakmp and debug crypto ipsec on the pix.

Thanks

John

jamirokoi Sat, 02/13/2010 - 11:19

Hi,

Sorry for the delay and thanks diegocambronero and john for having replied to my post.

I've just tested what you've said. And I was indeed able to make the pix to initiate the tunnel by generating traffic. As soon as it detected that there is a traffic for the remote network, i tried to bring up the tunnel. I enabled debug crypto ipsec sa and debug crypto isakmp. And I saw that i had an issue with the ipsec transform set.

No it's fixed. Thanks a lot

Actions

This Discussion

Related Content