When an IPSec tunnel drops on a PIX Firewall, it is usually important to get it back up and running as soon as possible. Because there are many reasons that the tunnel may have dropped, it is difficult to address the steps necessary to restore connectivity under all circumstances. As a result, the steps provided are generic and should help resolve most disconnections. However, if the steps below do not resolve the problem, further assistance may be required.
Note: It is assumed that the tunnel in question was previouslyworking. If it was not, the steps below may not be of any assistance.
Pass interesting traffic from one side of the tunnel to the other. If you are unsure of what traffic is considered interesting, look at the output from issuing the writeterminal command on the PIX, and find the match address command under the crypto map for the connection. The Access Control List (ACL) that this command refers to specifies the interesting traffic.
Try to pass interesting traffic from a workstation with the source network to a device on the destination network. If that does not get the tunnel back up, the tunnel may need to be reset.
Note: The following step will bring down all existing IPSec tunnels on the PIX where it is performed. It is recommended that if such commands are issued, be aware of the loss of connectivity this could pose. Generally, tunnels that are disconnected in this fashion will come back up within 10 seconds if passing traffic is attempted.
Reset the tunnel to ensure that there was not a failure in rebuilding the tunnel following a loss of connectivity. On the PIX, you can issue a clear crypto ipsec sa command and a clear crypto isakmp sa command to delete the existing tunnel negotiations.
Attempt Step 1 again to establish the tunnel.
If there is a problem with translation (Network Address Translation (NAT) 0 in most cases) across the tunnel, Steps 3 and 4 may not solve the issue. The appropriate way to resolve this would be to issue the clear xlate command. This will temporarily delete all connections on the PIX, so be aware that existing connections will drop for a few seconds until they have had the opportunity to re-establish.
Any issue with the translation table should be corrected. If not, there may be a problem with the actual translation configuration on the PIX or the remote device that may be causing a problem.
In the event that these steps did not help get the tunnel back up, there is information from the PIX that can assist your Technical Assistance Center (TAC) engineer in resolving your problem. If this information can be obtained from both endpoints for the VPN tunnel, it will help to resolve your service request quickly.
Obtain the information from these commands:
show crypto isakmp sa
show crypto ipsec sa
debug crypto isakmp (For the IPSec tunnel while it is building)
debug crypto ipsec (For the IPSec tunnel while it is building, both debugs can be run at the same time for the connection.)
Note: Issuing the debug commands could affect PIX performance, so use them with caution.