cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
560
Views
5
Helpful
5
Replies

Crypto map commands lock-up PIX 525

admin_2
Level 3
Level 3

Does anyone know why my PIX 525 locks up when I apply my cryptomap command one line at a time ? I apply the following ACL first. But when I attempt to apply the first cryptomap line my PIX locks and I have to reboot it.......Any help would be greatly appreciated >

access-list XXXXXtunnel permit ip xx.xx.0.0 255.192.0.0 xx.xx.18.0 255.255.255.0

access-list nonat permit ip xx.xx.0.0 xx.xx.0.0 xx.xx.xx.0 255.255.255.0

access-list acl-inside permit ip xx.xx.0.0 xx.xx.0.0 xx.xx.xx.0 xx.xx.xx.0

crypto map xxx_map 157 ipsec-isakmp

crypto map xxx_map 157 match address xxx-tunnel

crypto map xxx_map 157 set peer xx.4.xx.xx

crypto map xxx_map 157 set transform-set xxx_set

1 Accepted Solution

Accepted Solutions

r.bishop
Level 1
Level 1

Hi,

I have come across this problem when there are other entries already existing under the same crypto map and are already applied to an interface.

I found that by negating the crypto map interface command first, modifying the config and then re-applying the interface command this would work fine.

So ...

(1) no crypto map xxx_map interface outside

(2) apply crypto map config lines

(3) crypto map xxx_map interface outside

Of course you will lose existing tunnels if some already configured but then this happens if you reboot anyway!

Hope it helps

View solution in original post

5 Replies 5

mostiguy
Level 6
Level 6

are you sure your access list is not wrong, and blocking traffic?

Not applicable

The access-list is correct...No problems...I was told if you try to add crypto map lines one at a time the PIX sees that as a incomplete crypto map and secures the PIX by locking down the outside interface.....

r.bishop
Level 1
Level 1

Hi,

I have come across this problem when there are other entries already existing under the same crypto map and are already applied to an interface.

I found that by negating the crypto map interface command first, modifying the config and then re-applying the interface command this would work fine.

So ...

(1) no crypto map xxx_map interface outside

(2) apply crypto map config lines

(3) crypto map xxx_map interface outside

Of course you will lose existing tunnels if some already configured but then this happens if you reboot anyway!

Hope it helps

Not applicable

Awesome...That worked perfectly...Thanks

I've just managed to lock up our 525's doing exactly the same! The failover didn't work either, I had to drive to site and reboot both PIXes.

I should have checked this forum first....

Thanks for the fix.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: