Hi, have a strange one on the Pix'es and VPN site-to-site:
Pix515e (v7.0(5)) is the hub and Pix 506e is the branch. Can set up and initialize a VPN tunnel between them, IKE and IPSEC work, policies are the same including lifetimes and users can send data in the l2l tunnel. However after a length of time (seems random but always greater than 2 hrs) the VPN session dies and will not re-initialize even though "interesting" traffic is triggering the connection. An error message of "unable to remove PeerTbleEntry" appears. I then have to manually change the SA lifetime on both Pixes and the VPN comes back up. I do not know what is going on or why I need to manually change the SA. If I leave the Pixes for about 2hrs the VPN tunnel re-establishes on it's own; however that is 2hrs of downtime. I set up a PING -t to see if the tunnel would remain open and after a length of time (random but more than 2hrs) the VPN tunnel crashes again. Bandwidth utilization/memory/CPU is low so no buffer worries. I remote to the Pix 506e and Pix 515 outside the VPN and those SSH connections do not crash.
Think I solved the problem. Out of despair I decided to change the transform-sets. Confirmed that both sides were exactly the same first. I changed from MD5 to SHA....and the VPN has remained stable for 12hrs now. But I don't understand why this is so? I plan on changing back to MD5 on the weekend to see if the original problem can be replicated.
In the meantime does any one know why a change from MD5 to SHA would potentially "stabilize" a VPN tunnel??
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :