Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Traffic Problem Over VPN Tunnel

I have a problem of controlling traffic over a VPN tunnel in a site to site topology.

When i check 'sh conn' i can see traffic between IP hosts in the VPN community but if i type in 'clear xlate' it does not close the connections, and the flow of traffic continue, i also implied access rules in the access list and they did not take effect, again 'clear xlate' did not work, only after 'reload' the access-list took effect... can anyone tell me how to clear connection over the VPN?


Re: Traffic Problem Over VPN Tunnel

A couple of issues here that I see and I think you have sort of answered your own questions. The 'cl xlate' command does just that - it clears the translations built on the PIX. In your case, you want to clear the connections rather than the translations. If a connection is allowed or already built, the xlate will be built again as well. Try issuing a 'clear local-host' instead. This clears all conns and xlates.

As for the new ACE statements not taking effect. The PIX only checks the ACL when the connection is being established. Once the conn is up, the ACL check is bypassed. If you create a new ACE to an ACL that you want to take effect, you will need to tear down all existing conns in order for that ACE to be checked for new traffic. Again, a 'clear local-host' would do the trick here. The reason we do this is to keep the packets moving as quickly as possible. Checking an ACL on every packet would cause severe performance problems.

Hope this helps explain matters.


CreatePlease to create content