IPsec is restored only when I restart my PIX

o.alassaf · ‎12-04-2006

I have configured L2L IPsec vpn between two sites, it worked well for the day, but in the afternoon the user called and complained of losing connection. I had to check the FW on-site, I lost the connection! the connection is based on fixed IPs. I tried all what I know, it didn't come back, I restarted the pix on one site, and the IPsec is back. it happened again.

515E with 6.3 to 525E with 7.21, I reloaded the 515e

Any idea whats the problem?

a.kiprawih · ‎12-05-2006

Is this problem happened all the time? Otherwise, it maybe due to issue like link problem on PIX515E site during that time, PIX's software/operation issue, syslog server unreachable and so on.

Hard to say without seeing the log. Any clue/log on PIX525 end?

AK

o.alassaf · ‎12-05-2006

Hello Amrih,

The connection works well for few hours, then the runnel is no more there, it is only the VPN since the Internet is still accessable. The syslog from the 525E reports

Error: Unable to remove PeerTblEntry

after reloading/restarting the 515E, the VPN is up again.

zubairjalal · ‎12-05-2006

Instead of restarting the pix, try doing a clear crypto isakmp sa.

Also, i have faced the same problem with 6.3.4 and upgrading the 6.3.5 resolved my problem. Cisco does not list this as a bug in 6.3.4

o.alassaf · ‎12-05-2006

Thank you Zubair, I will upgrade the OS to 6.3.5 and see if this will solve the problem.

flopez · ‎01-10-2007

I had a similar issue before and upgraded the IOS, it did not help. I later found out that my ISAKMP policy did not match in the DH category. Take a look at your ISAKMP and CRYPTO maps, and make sure they match. If not, you can ZERORISE your RSA and regenerate them

CA GENERATE RSA KEY XXX

CA SAVE ALL

o.alassaf · ‎01-11-2007

In fact I had to rebuild the whole vpn from scratch, and I also solved a problem with the ISP ADSL router. it has been few weeks where the connection is very stable.