I ran across an interesting problem. A PIX 520 stopped passing all traffic. It was in a failover config, but did not failover. The primary was taken offline to force the secondary to take over. The secondary also did not pass any traffic out the outside interface (Including internally generated pings). Looking at the log, we noticed that it was reporting that it was dropping all packets because they were not "encrypted". That morning, some VPNs were added to the pix (running version 6.2). Removing the new vpn defintions resolved the issue and traffic passed again.
Reviewing the config, I noticed in the definition of one VPN, the "Match address acl" command was left out. I understand that the PIX checks NAT acls first and then crypto map acls second, but why would this cause all traffic to stop? Does leaving this out cause the pix to see all addresses as "interesting traffic" and therefore require encryption on all traffic?
I am sorry if my question was confusing. What I was wondering was since the "Match Address ACL" was not in the config for this VPN defintion, would the PIX assume all IP addresses it sees must be "interesting traffic and therefore would require ALL traffic to be encrypted. When troubleshooting this problem with pings being generated from a workstation we put on the external net, the log showed a ping was received, but was dropped because the packet was not encrypted.
An example of what is normally seen follows:
access-list confusion-acl permit ip 10.10.10.0 255.255.255.0 host 192.168.30.5
crypto map conf 10 ipsec-isakmp
crypto map conf 10 Match address confusion-acl
the "crypto map conf 10 Match address confusion-acl" line was missing from the config. We resolved the issue by brute force by removing all three new VPN defintions from the config since I did not have a copy of the config to review initially. Hope this clears up my question: If a VPN is defined on the PIX and all required config lines are present EXCEPT the "crypto map ABC X Match Address Example-acl", what would be the behavior of the PIX and why?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :