Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX site to site - adding a new set of rules to a crypto map

Can anyone confirm that it's necessary to reapply a crypto map to an interface using the "crypto map XXXX interface YYY" command when you add a new set of entries with a new sequence number to the crypto map?

I spent some time trying to build a new tunnel with no results until I reapplied the map, and I want to be sure that I'm required to do that.

4 REPLIES
Gold

Re: PIX site to site - adding a new set of rules to a crypto map

If you make changes to a crypto map, transform set, or any other items relating to your VPN, it may be necessary to issue the clear crypto ipsec sa command. This will clear the existing IPSec SAs so that renegotiation takes place and the changes are implemented immediately

Hope that helps if yes please rate

New Member

Re: PIX site to site - adding a new set of rules to a crypto map

I had this same problem on a PIX 515 last year. The clear ipsec sa' command didn't fix the problem. I had to reapply the 'crypto map XXXX interface YYY' command for the VPN tunnel to build successfully.

Talking to some other engineers, I found that they had done the same thing. I'm not sure , if this is a Cisco recommendation.

-Mike

New Member

Re: PIX site to site - adding a new set of rules to a crypto map

Hello, from experiences that is sometimes neccesary, but I feel it like bug. I never found anything about crypto map reapplying in the documentation.

Hall of Fame Super Blue

Re: PIX site to site - adding a new set of rules to a crypto map

Tim

As others have said it should not be necessary and i have configured a lot of site-to-site VPN tunnels where i have not had to - over 100 on one pix device without having to reapply the crypto map.

However there have been times when i have reapplied the crypto map as a last resort when i couldn't get the tunnel to work and it has fixed the issue sometimes !.

But no in answer to your question you are not required to do that as far as i know and to be honest you shouldn't have to.

Jon

110
Views
0
Helpful
4
Replies
CreatePlease to create content