I am working on a net that has about 25 remote locations terminating with a lan to lan Ipsec tunnel, the Corp office has the 3005 with a T1 and remote branch offices have Pix 501 with a basic ipsec config only one peer which is hte 3005, when I come in , in the morning and log into the web admin interface of the 3005 and look at Lan to Lan sessions I usally only see around 6 or 7 and have to ping the others to get them to come up. Sometimes pinging the other side does not bring up the sa for that given peer and sometimes it does, I was wondering 1 if their is a way to log into the remote pix after I have ssh enabled and from the pix try to get the peer to establish instead of having to call users up at the remote locations. Also I am looking at the following command which is suppose to increase the time the SA stays up before renegotiatiing I have never had to use this in the past but was going to apply it to the remote crypto maps to see if it helps has anyone else had to use it ?
crypto map mymap 10 set security-association lifetime seconds 40000
It is Static , the outside public interface of the 3005 and the outside interface of the pix 501's are always available thats what I dont understand, I have been monitoring the outside interfaces to see if they bounce up or down and yet they havent, I could understand if they were but their not. The issue is that when I look on the concentrator and look at the lan to lan sessions their may only be 10 or so lan to lan sessions up at a given time, I first check it the remote side's IPSEC peer is up which is the outside interface of the pix and it always is, then I ping the remote side LAN subnet which is defined as the interesting traffic and it doesnt come up, then I call someone up from the other side and have them ping over to me and it doesnt come up, so sometimes it does and sometimes it doesnt and we have to reboot the remote pix. If their is not a statement on the remote PIX for allowing ICMP in, when the tunnel is up and running should I be able to ping the remote side through the tunnel ?
That's what I was thinking Arul that possibley their is an overlapping address space that is causing some issues here, the corporate site where the 3005 concentrator is at does not have a router behind it, so all the internal users point to a novell border manager packet filter box for their dfg, then their are static routes in the border manager router that point to the remote site private address space and its gateway points to the internal interface of the vpn gateway and all address space is class a 10.x.x.x /24 something at the corp and remote's. After working on an issue with users who were dialing up with software vpn clients on laptops and terminating on the 3005, that were being given a 10.x.x.x /24 something from the 3005, both phase 1 and phase 2 were completing but they could not connect to internal servers behind the 3005 concentrator, so I changed the address space to a 192.168.x.x /24 something and now all the dial ups are working so I am thinking that the Lan to Lan tunnels may be having the same issue. I have set up many vpns in different combinations and have not seen the issue where the tunnels would come up intermittantly, like I said before one morning you can come into the office sit down and look and their will be 7 sesssions active for lan to lan on the 3005 then when you ping a remote site that is not up and should be up sometimes it comes up and sometimes it doesn't..... who knows
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...