Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 501 to PIX 501 IPSec tunnel problems

I have tunnel established between two sites. The both have PIX501 running version 6.2.2. Lets name the PIXs A and B.Everything works fine, but if, for example) PIX A reboots( due to a power failure for example), after PIX A reboots, I am unable to re-establish the tunnel with traffic from PIX B that stayed connected(and also did not loose its security associations).

I need help on this.

Thanks

Hugo

1 REPLY
Cisco Employee

Re: PIX 501 to PIX 501 IPSec tunnel problems

This is a fairly commomn problem, since there's nothing in the IPSec specification that allows for any sort of keepalive so that one side knows that the other side has gone down. In your case PIX B will happily keep encrypting packets and sending them to PIX A cause it has no idea that PIX A rebooted and has dropped it's tunnels.

For Cisco to Cisco tunnels though, we implemented a keepalive mechanism to get around this problem. Use the command:

> isakmp keepalive 30

to have the PIX's send keepalive packets every 30 seconds, they'll at least be able to detect a failure then and will bring the tunnel down gracefully, a new one can then be rebuilt when traffic starts flowing again.

See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.htm#1027312

82
Views
0
Helpful
1
Replies
CreatePlease to create content