Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX 6.3(5) site--to-site vpn and failover

I've got three sites, each site has a pair of PIXes in a failover configuration. There are site-to-site tunnels between the three sites. When I failover a firewall at a site, the tunnels fail over correctly, and connectivity is maintained. However, if I fail back to the primary firewall at that site, the tunnels fail (I get lots of "invalid spi" messages). Is there an easy way to force the ISAKMP and IPSEC protocols to restart from zero in this case, so the tunnels come back up quickly?

Today I ended up ripping out the isakmp and crypto map parameters and putting them back in, which worked but took too long.


Re: PIX 6.3(5) site--to-site vpn and failover

Try command in global configuration menu

isakmp keepalive 10 (on all tunnel endpoints)

It well prevent tunnel going down and should helps avoid "invalid spi" messages...

Also command clear crypto ipsec sa brings your VPN back .... so you dont need to reconfigure IPSEC parameters

Hope that helps if yes please rate

New Member

Re: PIX 6.3(5) site--to-site vpn and failover

it appears to work, but I won't be able to give it a real hard test until the 18th - I'll post another reply and a rating then.

Thanks very much!

CreatePlease to create content