03-08-2006 12:19 PM
Can anyone confirm that it's necessary to reapply a crypto map to an interface using the "crypto map XXXX interface YYY" command when you add a new set of entries with a new sequence number to the crypto map?
I spent some time trying to build a new tunnel with no results until I reapplied the map, and I want to be sure that I'm required to do that.
03-08-2006 12:47 PM
If you make changes to a crypto map, transform set, or any other items relating to your VPN, it may be necessary to issue the clear crypto ipsec sa command. This will clear the existing IPSec SAs so that renegotiation takes place and the changes are implemented immediately
Hope that helps if yes please rate
03-09-2006 01:34 PM
I had this same problem on a PIX 515 last year. The clear ipsec sa' command didn't fix the problem. I had to reapply the 'crypto map XXXX interface YYY' command for the VPN tunnel to build successfully.
Talking to some other engineers, I found that they had done the same thing. I'm not sure , if this is a Cisco recommendation.
-Mike
11-25-2008 12:32 AM
Hello, from experiences that is sometimes neccesary, but I feel it like bug. I never found anything about crypto map reapplying in the documentation.
11-25-2008 01:51 AM
Tim
As others have said it should not be necessary and i have configured a lot of site-to-site VPN tunnels where i have not had to - over 100 on one pix device without having to reapply the crypto map.
However there have been times when i have reapplied the crypto map as a last resort when i couldn't get the tunnel to work and it has fixed the issue sometimes !.
But no in answer to your question you are not required to do that as far as i know and to be honest you shouldn't have to.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide