Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX525<->Nortel Contivity | Creating multiple IPSec tunnels with the same p

Hi all

I'd like to know if this is possible in a PIX525 to create multiple

ipsec tunnels to the same remote peer address?

Maybe you'd like to say: why??

My question comes because I've actually a single ipsec tunnel between a

pix 525 and a Nortel Contivity. In the tunnel settings, the contivity

announces one local subnet and the pix announces 3 local

subnets (because of its 3 DMZ).

As I've two redundant Contivity, the second contivity is announced as a

second peer in the tunnel settings of the pix configuration file.

When I monitor my pix, I see normally 3 conn ID between the pix and the

primary contivity, one per pix local subnet (one per DMZ). But sometimes I've a strange behaviour:

One of the three dmz is basically disconnected from the primary

Contivity and reconnect to the second one. During that time only one

dmz is affected, so it means that the two others remains connected to

the primary Contivity.

I saw 2 conn ID between the PIX and the primary Contivity and 1 conn ID

between the pix and the second Contivity.

When I monitor my primary contivity, I didn't see anything (firewall is

correctly responding) so this contivity remains the primary one ; thus

this is still the gateway for my pc in the Contivity's LAN.

These PC cannot reach anymore the PIX dmz newly attached to the second

Contivity because of this strange behaviour. (packet leave the

Contivity's network through the primary contivity and comes back

through the second contivity -> problem !)

I've no idea why one of this dmz is having such behaviour ; so I

basically think on unbundling the three dmz from the unique ipsec

tunnel in my pix by creating one ipsec tunnel per dmz.

With this I'll have 3 ipsec tunnel between the same pair of peers (pix

and contivity)

thank you for your answers and advices about any potential of this strange behaviour (might be due to the PIX and/or the Contivity).

Regards,

Fr?d?ric Martin

1 REPLY
Silver

Re: PIX525<->Nortel Contivity | Creating multiple IPSec tunnels

Do you intend to create Tunnel using different keys, but with same tunnel source address?.

183
Views
0
Helpful
1
Replies