I'm currently having a problem with a Site to Site VPN not passing traffic intermittently. When the problem occurs I cannot Ping from the remote site to the HQ Site. But I can resolve the problem by Pinging from the Hq to the Remote Site. My network is currently setup as follows
Pix 515 Version 7.0(4) with 4 port Ethernet card.
Outside interface connected to DSL Broadband link.
Outside2 Interface connected to Second DSL Broadband link
I have 4 remote Sites. 2 sites connect to each Broadband connection at the HQ to spread the load at the HQ
Pix 501 version 6.3(5)
####### The Problem #######
All VPN's successfully establishes to the HQ Pix
Intermittently a remote site will report that they cannot connect to any servers/services in the HQ. When I do a show ipsec crypto sa and show crypto isakmp sa at the HQ there is no entries for the remote site. However when I do the same on the remote site there is an entry for the HQ. With debugging on the remote site pix I try to ping from a pc to the HQ Server and I get the following (see below). If I do a 'clear crypto ipsec Isakmp sa' and 'clear crypto ipsec sa' on the remote site pix I can then successfully ping all servers in the HQ.
This problem seem to have only occurred when I upgraded the pix from a 501 to 515 and added another 2 remote sites and a second Broadband connection as described above. I am worried that this is a problem with a Pix version 7 software. Any advice would be greatly appreciated.
This seems to have resolved my problem. It has been a week since it has happen last. the only ccommand I used was
isakmp keepalive 10 2
on both HQ site and Remote site. The only explanation I can this of is that there is some sort of bug in the version 7 software which was casuing this problem. I never had this problem up until I replaced the HQ site's pix from a 506 to a 515 with version 7 software.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...