I have site-to-site tunnel configured between my PIX515e and a Nortel Contivity 1010 (I don't manage this device).
The tunnel has been up and running for about 9 months now. It seems that after a few weeks the tunnel will stop working (i.e; users on one side can't reach a host on the other side). If I issue the SHOW IPSAKMP SA command at the PIX, it will show STATE=QM_IDLE, PENDING=0, CREATED=141 (or some other large number of created SAs). Every other site-to-site tunnel that I have will show no more than 2 or 3 SAs created. For what it is worth, there is usually very little traffic going over this tunnel (1 or 2 users on each side).
If I enter the command CLEAR CRYPTO ISAKMP SA, the SAs are dropped, the SA count reset to zero, and the tunnel starts working again.
Any ideas what the high SA count means and if/why this would prevent my tunnel from working?
Check there any is mismatch with SA lifetimes in both site.
The Phase 1 (IKE) lifetime on a PIX firewall is 86400 (24hours). The Phase 2 (IPSec) lifetime on the PIX is 3600 seconds (1 hour).
When a tunnel is initialized an SA (Security Association) is created for each Phase (1 & 2) and the timers starts counting down. At the end of an hour the PIX will delete it's Phase 2 SA unless the tunnel is active. If the tunnel is active when the 1 hour timer expires, then a new SA will be negotiated between the PIX and the other IPSec peer.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...