I have noticed that in my site-to-site VPN configuration only one end seems to be able to bring the tunnel up. For eg. pinging from the "remote" locations will work but pinging from the central site will not get a response from a remote PC unless the tunnel has already come up.
Used the GUI to configured the site-to-site VPN on the PIX's (501 w/ 6.34). All parameters seems to be configured correctly and pretty much the same except for peer and local addresses. Is there a problem here?
Add (in config mode) : isakmp identity address
on both side, it would be also useful to clear the SA's - to do this issue: clear cry isakmp sa and clear cry ipsec sa
Save with: write mem
Hope this helps.
Adding the isakmp identity address statements did not make a difference.
I noticed that at the central site show crypto isakmp sa showed -
This was the same at the remote site.
'sh crypto ipsec sa' on the central pix shows "complete" information with packets encrypted, etc. At the remote end the same show command shows -
crypto map tag: outside_map, local addr. 24.x.x.x
and nothing else.
From the remote end, I was unable to connect to a PC at the central site. From the central site I was able to ping a PC at the remote site. Then, the PC at the remote site was able to ping, etc. the central site.
just a quick question.
according to the central pix config, there are two lan-lan vpns. just wondering if there is any issue with the other one as well or just the one between these two.
just couldn't see any error.
after you implemented the "sakmp identity address", have you try to re-apply all the isakmp and crypto settings.
e.g. on the central site,
no crypto map outside_map interface outside
no isakmp enable outside
crypto map outside_map interface outside
isakmp enable outside
and do the same on the remote pix as well.
Restarted both PIXes. I have a scheduled batch file that periodically pings from a host at the central site to a host at the remote site. This keeps the VPN up. I will see what happens when the 2nd remote site is brought online.
Thanks for your suggestions.