Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Site to Site VPN with VPN Dialer access

I have a site to site VPN between a PIX 506e and PIX 501 with VPN Dialer access to the 506E setup. Every so often (ever hour or so) I have to restart the PIX 501 because it looses the Connection. The ISAKMP status goes from QM_IDLE to SA_MM_SETUP. I can still ping the outside IPA of the 501, but a restart is required to bring the VPN Tunnel up. I am starting to believe that I may have a faulty PIX 501. Also when the connection is down, the devices behind the 501 no longer have access to the INET. The users behind the 501 claim it goes down when they try and send an email, which goes thur the VPN tunnel to an exchange server. Although I know that the connection has been dropped when just using Terminal Server or Remote Desktop. Any advice or info would be greatly appricated. I can post my configs if necessary.

Thank You

Art

4 REPLIES
New Member

Re: Site to Site VPN with VPN Dialer access

Instead of powering off/on the pix. Try the following commands:

clear ipsec sa

clear isakmp sa

Wait for 30 seconds, and see if this brings the tunnel up.

You might also want to configure both peer's to be initiator and responder

HTH

Mike

Silver

Re: Site to Site VPN with VPN Dialer access

See if a crypto isakmp keeplive 30 solves ur issue.

New Member

Re: Site to Site VPN with VPN Dialer access

Thank you for the advice. one note, how do I configure them both to be iniator-responder? I will also try the keep alive. I have setup a 2nd wan location that does not hiccup at all. My main office lan is 192.168.1.0, the 1st wan is 192.168.20.0 and the 2ns wan is 192.168.40.0. I am now convienced that a VPN dialer user may have the same internal IP of 192.168.20.0. Could that possible be confusing the PIX and shutting down the VPN tunnel even though he gets a Dynamic VPN IP of 10.10.10.0? I am going to try and change the WAN to 10.10.x.0 networks.

Silver

Re: Site to Site VPN with VPN Dialer access

Yes it is a possiblilty but suggest using dedicated IP address space for the VPN clients and not to clash with your WAN IP (or any IP in your network).

133
Views
0
Helpful
4
Replies
CreatePlease to create content