I am continuously setting up new pixes for a site-to-site VPN. (All remote sites connect to a PIX 525 at the central site). I'm using network management extensions and a RADIUS server. What happens is the VPN drops at a remote site and I am unable to re-establish the VPN tunnel. I've tried to clear the isakmp and IPSEC SAs, reloading the pix etc. I've noticed that a isakmp SA remains on the PIX 525 well after the tunnel drops. I'm only able to re-establish the VPN after the SA clears out of the 525. It sometimes takes 15 minutes or longer. I can't use the "clear crypto isakmp sa" command on the 525, because I have over 20 remote sites connecting to the same endpoint. Is there any way to clear a specific SA off a Pix? I know it's possible with a 2801 router. Has anyone experienced the same issue?
I tried clearing the ipsec sa peer, but it doesn't clear the isakmp sa on the main PIX. The only thing I got to work, was to clear the isakmp sa on the remote PIX and then temporarily disabling the vpnclient (no vpnclient enable) on the remote PIX and re-enabling it. This works....sometimes. I can't find any documentation which allows you to clear an isakmp sa by id. So I'm still searching and the problem still occurs.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...