PIX site to site - adding a new set of rules to a crypto map

tim.metzinger · ‎03-08-2006

Can anyone confirm that it's necessary to reapply a crypto map to an interface using the "crypto map XXXX interface YYY" command when you add a new set of entries with a new sequence number to the crypto map?

I spent some time trying to build a new tunnel with no results until I reapplied the map, and I want to be sure that I'm required to do that.

m.sir · ‎03-08-2006

If you make changes to a crypto map, transform set, or any other items relating to your VPN, it may be necessary to issue the clear crypto ipsec sa command. This will clear the existing IPSec SAs so that renegotiation takes place and the changes are implemented immediately

Hope that helps if yes please rate

msrohman · ‎03-09-2006

I had this same problem on a PIX 515 last year. The clear ipsec sa' command didn't fix the problem. I had to reapply the 'crypto map XXXX interface YYY' command for the VPN tunnel to build successfully.

Talking to some other engineers, I found that they had done the same thing. I'm not sure , if this is a Cisco recommendation.

-Mike

Ivast · ‎11-25-2008

Hello, from experiences that is sometimes neccesary, but I feel it like bug. I never found anything about crypto map reapplying in the documentation.

Jon Marshall · ‎11-25-2008

Tim

As others have said it should not be necessary and i have configured a lot of site-to-site VPN tunnels where i have not had to - over 100 on one pix device without having to reapply the crypto map.

However there have been times when i have reapplied the crypto map as a last resort when i couldn't get the tunnel to work and it has fixed the issue sometimes !.

But no in answer to your question you are not required to do that as far as i know and to be honest you shouldn't have to.

Jon