Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ipsec tunnel

Pls see my PIX version and the Hardware details below:

Cisco PIX Firewall Version 6.3(5)

Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz

Flash E28F128J3 @ 0x300, 16MB

I added a host on the IPsec tunnel, run the following command:

FW# sh crypto ipsec sa | be HTX0062-NAT

local ident (addr/mask/prot/port): (HTX0062-NAT/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (195.140.250.0/255.255.255.240/0/0)

current_peer: CERNER-NAT:0

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 206.5.104.10, remote crypto endpt.: CERNER-NAT

path mtu 1500, ipsec overhead 0, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

But, the remote end was unable to initiate a connection.

My senior colleage said I have to reset the tunnel to get it working. I just want to know whether IT IS RIGHT or NOT.

Regards

Kelvin Cheung

5 REPLIES
Community Member

Re: ipsec tunnel

Yes, often you'll have to reset the tunnel if you change the crypto map.

Community Member

Re: ipsec tunnel

I can't see my last post so I post it again.

I added a host on the existing ACL for the crypto map.

It did NOT work. Do I need to reset the IPsec tunnel?

Thanks....

Kelvin Cheung

Gold

Re: ipsec tunnel

Kelvin,

Yes, clear the existing tunnel -

In config mode:

clear isakmp sa

clear ipsec sa

The above will drop any existing tunnels, to rebuild the tunnel just ping your remote internal peer ip from your intrenal ip range.

Hope this helps and please rate posts!

Community Member

Re: ipsec tunnel

Dear Jay Mia

First of all, thanks for your reply.

The command "clear isakmp sa" and "clear ipsec sa" will NOT delete any PIX configurations???

Regards

Kelvin Cheung

Gold

Re: ipsec tunnel

Hi Kelvin,

No, by using "clear isakmp sa" and "clear ipsec sa" it will NOT delete any configuration.

The above commands ONLY resets the SA tables for both ISAKMP and IPSec.

Hope this helps and please rate posts!!

Jay

329
Views
5
Helpful
5
Replies
CreatePlease to create content