Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Possible PIX 6.3 Bug with site-to-site VPN?

Hi all,

I experienced a weird issue with my old PIX 515E last weekend, and I am looking to see if anyone has experienced this in the past.  This PIX is running version 6.3, and has no support contract, so I'm in somewhat of a bind.

We were planning an internet connection changeover, and I began execution last weekend.  I connected the new connection to the outside interface, gave it a new IP, and began the process of updating our external DNS and port forwarding/ translation rules.  Everything went smoothly, and email, external ftp, web browsing, and PPTP VPN connections were restored within 30 minutes or so. 

However, we also have a site-to-site VPN that terminates at this PIX from a Cisco 871 on the other end.  I modified the 871 to have the correct peer address.  The PIX already had the correct peer entered in its config, because the external site did not change.  When I performed a "sho crypto isakmp sa" on the router, it showed the tunnel as connected, with the correct source and destination IP addresses.  However, it also showed a return tunnel with a source of the PIX external IP, and a destination of the router external IP, and it was not connected.

When I did the same sho isakmp command on the PIX, I noted that it showed the tunnel from the router correctly connected with the right IPs, however, it showed the outbound tunnel connection with a destination of the router external IP, but a source of the OLD pix external IP.  I reviewed the config, and nowhere in any spot on the PIX config was this old IP address present.  I contemplated saving the pix config and rebooting to see if that resolved the issue, but given the short outage window i was given, I made the decision to do a quick rollback by rebooting both the PIX and the router (I had not yet saved the running config of either), and reconnecting the old connection to the PIX.  This let me simply reset the DNS records and service was restored. 

I did not have time to troubleshoot this properly, and the PDM version is out of date on the PIX, so I can't view any tunnel settings on it apparently.  While I am pushing to move to an ASA as soon as possible, I wanted to see if anyone else has experienced this behavior when updating tunnel settings on a remote site VPN endpoint.  Would a simple save and reboot possibly have fixed this "ghost" tunnel source IP address?

New Member

Possible PIX 6.3 Bug with site-to-site VPN?

Just wanted to add/ simplify my question:

If I am changing the outside interface ip address of my PIX, with an existing site-to-site tunnel, all I should really have to do is add the new peer address to the existing crypto map, and clone the existing "crypto isakmp key" statement with the new ip address on the remote site router, correct?  Is a PIX reboot required after changing the outside IP address?

New Member

Possible PIX 6.3 Bug with site-to-site VPN?

Disregard.  We just received a shiny new ASA 5510.  I am going to work on creating a secondary site-to-site tunnel to this new device, so we will be able to switch over with almost no outage.

CreatePlease to create content