Having a problem using HSRP for IPSEC in a router to PIX set up.
Our two routers (3640 and 3725) run code that supports HSRP with IPSec.
We have two cyrpto maps configured. One for a router to PIX set up and one for a router to router set up. We are using pre shared keys and Isakmp keep alives on the PIX.
Both set ups work fine but then the router to PIX set up fails. When we ping from our end (router) the SA's will not come up. The only way to bring it back up is to ping fromt he remote end (PIX). Once this is done SA's immediately come back up and we can ping from both ends.
During this time the router to router set up never fails to work.
Wondering if this is a known issue for PIX. Anyone ever seen this before?
Don't know of any issues, we'd need to see the debugs on the PIX when the tunnel is initiated from the router end to see what the problem is. Usually issues where a tunnel can only be built in one direction are to do with the crypto ACL's not being the exact opposite of each other, or with your Phase 1/2 timers not matching (especially Phase 1).
Keep in mind that with Phase 1, the router and PIX will only accept the initialization if the peers policy is shorter than or equal to its own, so if they don't match, you're only going to be able to build the tunnel in one direction (which is what you're seeing).
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...