I am having a problem when adding a new tunnel to an existing PIX that is already terminating several existing tunnels. The existing tunnels are not having any problems. However, the new tunnel will not initiate Phase 1. When running "debug cyrpto isakmp" I do not see anything for this new tunnel. However, the NONAT and Intersting traffic ACL are incrementing. Debug packet outside dst "remote peer ip" does not return any packets. Its as if it passes the interesting traffic ACL and the packets go nowhere. has anyone experienced an issue like this?
If you 'debug crypto ipsec' do you get an error like: IPSEC(sa_initiate): ACL = deny; no sa created. If so I know that removing the crypto map from the interface and reapplying will fix this - in additon to taking down all tunnels. I don't know if it's a bug or ??? I've seen it myself and the above or reloading the PIX would correct it.
yes I do get the ACL=deny error when debugging crytpo IPSEC. Interesting that the ACL hitcnt is still incrementing though as if it is passing through. The last new tunnel we added a couple weeks ago was the same issue and we rebooted to rectify that hoping it wouldn't be a problem, but now I fear that everytime we add a new tunnel this may happen and rebooting or removing the crypto map from the interface is not a viable work around each time because it does cause all other tunnels to come down. Did you continue to have the problem with new tunnels after the reboot or did everything work fine after that?
Yes, the problem continues on various customer PIX - my company manages several hundred. I've never gotten a good answer from TAC as to why. It could be a config issue, but I cannot see it. Maybe others in NetPro can help.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :