Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

The VPN tunnel fails to come up on the PIX Firewall after the ISP changes the IP address for the remote device

What is a VPN Tunnel?

A “tunnel” is simply a link between two locations through some other material. A good analogy is a tunnel that goes under a mountain. Both sides of the mountain are linked up through a direct path; in this case the “mountain” is the Internet. So essentially a tunnel is a direct shortcut through the Internet.

Although by definition a tunnel is not encrypted, typically the reason that you are creating one is that you want to add some encryption to it. Let’s say you have a branch office in one location using a regular Internet connection and then you want to connect to a server somewhere at your main office location. Since the data you are transferring between offices is likely sensitive, you wouldn’t want someone to be able to view that data while travelling over the Internet. That is where a VPN tunnel comes into play.


In order to resolve this issue, replace the old IP address with the new IP address using these commands on the PIX Firewall:

Pixfirewall(config)#no crypto map 10 interface outside

Pixfirewall(config)#no crypto map 10 set peer               
Pixfirewall(config)#crypto map 10 set peer

Pixfirewall(config)#no isakmp key ******** address netmask
Pixfirewall(config)#isakmp key xxxxxxxx  address netmask
Pixfirewall(config)#crypto map 10 interface outside

After you make the configuration changes, clear the older Security Associations (SAs) using these commands:

clear crypto isakmp sa

clear crypto ipsec sa

Try initiating a connection. The VPN tunnel should now come up.

Note: No configuration changes are required on the remote device.


VPN Tunnel

Version history
Revision #:
1 of 1
Last update:
‎06-17-2009 10:09 PM
Updated by:
Labels (1)