Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSEC tunnel issue on Pix 7x and ASA 7.2(2) ver

Hi,

I have been facing ipsec vpn tunnel issue on upgrading my pix 535 from 6.3(5) to 7x .I am having 20 odd site to site vpn tunnels configured on my pix. Problem is that all of sudden data stops transferring through tunnel. If I check the status of ipsec vpn tunnel by

sh crypto isakmp sa

sh crypto ipsec sa

sh crypto isakmp detail

,it shows me up and connected. Cisco recommended to check with ASA.I got ASA 5520 installed with ver 7.2(2). I observed same problem 3 times in 1 week. Has anybody else observed same issue. Need solution.

Thanks in advance

regards

Sachin Verma

6 REPLIES
Silver

Re: IPSEC tunnel issue on Pix 7x and ASA 7.2(2) ver

Check if you have these commands in the config of PIX after the upgrade, if not add them manually

tunnel-group group1 type ipsec-ra

tunnel-group group1 general-attributes

address-pool pool1

tunnel-group group1 ipsec-attributes

pre-shared-key mypassword

Following links may help you

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml

http://www.cisco.com/en/US/docs/security/asa/asa70/pix_upgrade/upgrade/guide/pixupgrd.html

New Member

Re: IPSEC tunnel issue on Pix 7x and ASA 7.2(2) ver

I had a similar problem with pix501 6.3(5) doing easy VPN to ASA5520 7.1 active/passive HA. Periodically several sites would stop communicating.

TAC was unable to give an answer for many months. They finally suggested we move to 7.2(19) at least until 8.x has been in the field long enough to make sure it's stable.

We upgraded to 7.2.19 on a single non HA 5510. No more problems. We have also converted most sites to site2site VPN. We have not yet moved back to the 5520 HA pair but will try that in the future.

New Member

Re: IPSEC tunnel issue on Pix 7x and ASA 7.2(2) ver

Hi

I'm having the same problem here

Went from 6.3(5)to 7.22 and having major issues with my old VPN tunnels..

This is very strange since I did the exact same thing with my other pix firewall 1 month ago and it worked very well...

I have compared the configs and its nothing wrong with them... Some tunnels just keep dying on me

Have to downgrade tonight id guess, thought about going up to pix 8.x release to see if the problem still exists or not

New Member

Re: IPSEC tunnel issue on Pix 7x and ASA 7.2(2) ver

I had the same issues when going form 506e 6.3(5) to ASA 7.2(2). The config was the same and I spent several days with an open TAC request. The tech asked me to enter:

sysopt connection permit-ipsec

and that did it they all started talking. I have no idea why it didn't stick when I entered it the first time and it doesn't show in a sh run. but it got all the connections working.

New Member

Re: IPSEC tunnel issue on Pix 7x and ASA 7.2(2) ver

Hi,

Did your tunnels stopped passing traffic intermittently after upgrading to ASA 7.2(2) and or they were dying after upgradation. Since how long your tunnels are up after issuing command

sysopt connection permit-ipsec

regards

Sachin Verma

New Member

Re: IPSEC tunnel issue on Pix 7x and ASA 7.2(2) ver

They are still up. Some tunnels were intermittently up and one was up all the time of the 15. I have noticed that they can grow stale and I believe there is a command to fix that as well, I just don't remember what it is.

341
Views
0
Helpful
6
Replies