Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
303
Views
0
Helpful
2
Replies

PIX 6.3(5) site--to-site vpn and failover

tim.metzinger
Level 1
Level 1

‎03-08-2006 12:16 PM

I've got three sites, each site has a pair of PIXes in a failover configuration. There are site-to-site tunnels between the three sites. When I failover a firewall at a site, the tunnels fail over correctly, and connectivity is maintained. However, if I fail back to the primary firewall at that site, the tunnels fail (I get lots of "invalid spi" messages). Is there an easy way to force the ISAKMP and IPSEC protocols to restart from zero in this case, so the tunnels come back up quickly?

Today I ended up ripping out the isakmp and crypto map parameters and putting them back in, which worked but took too long.

Labels:
0 Helpful
2 Replies 2

m.sir
Level 7
Level 7

‎03-08-2006 12:42 PM

Try command in global configuration menu

isakmp keepalive 10 (on all tunnel endpoints)

It well prevent tunnel going down and should helps avoid "invalid spi" messages...

Also command clear crypto ipsec sa brings your VPN back .... so you dont need to reconfigure IPSEC parameters

Hope that helps if yes please rate

0 Helpful

tim.metzinger
Level 1
Level 1
In response to m.sir

‎03-08-2006 06:28 PM

it appears to work, but I won't be able to give it a real hard test until the 18th - I'll post another reply and a rating then.

Thanks very much!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents