Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
560
Views
0
Helpful
2
Replies

Possible PIX 6.3 Bug with site-to-site VPN?

mike.welker
Level 1
Level 1

‎12-15-2011 09:26 AM

Hi all,

I experienced a weird issue with my old PIX 515E last weekend, and I am looking to see if anyone has experienced this in the past.  This PIX is running version 6.3, and has no support contract, so I'm in somewhat of a bind.

We were planning an internet connection changeover, and I began execution last weekend.  I connected the new connection to the outside interface, gave it a new IP, and began the process of updating our external DNS and port forwarding/ translation rules.  Everything went smoothly, and email, external ftp, web browsing, and PPTP VPN connections were restored within 30 minutes or so. 

However, we also have a site-to-site VPN that terminates at this PIX from a Cisco 871 on the other end.  I modified the 871 to have the correct peer address.  The PIX already had the correct peer entered in its config, because the external site did not change.  When I performed a "sho crypto isakmp sa" on the router, it showed the tunnel as connected, with the correct source and destination IP addresses.  However, it also showed a return tunnel with a source of the PIX external IP, and a destination of the router external IP, and it was not connected.

When I did the same sho isakmp command on the PIX, I noted that it showed the tunnel from the router correctly connected with the right IPs, however, it showed the outbound tunnel connection with a destination of the router external IP, but a source of the OLD pix external IP.  I reviewed the config, and nowhere in any spot on the PIX config was this old IP address present.  I contemplated saving the pix config and rebooting to see if that resolved the issue, but given the short outage window i was given, I made the decision to do a quick rollback by rebooting both the PIX and the router (I had not yet saved the running config of either), and reconnecting the old connection to the PIX.  This let me simply reset the DNS records and service was restored. 

I did not have time to troubleshoot this properly, and the PDM version is out of date on the PIX, so I can't view any tunnel settings on it apparently.  While I am pushing to move to an ASA as soon as possible, I wanted to see if anyone else has experienced this behavior when updating tunnel settings on a remote site VPN endpoint.  Would a simple save and reboot possibly have fixed this "ghost" tunnel source IP address?

Labels:
0 Helpful
2 Replies 2

mike.welker
Level 1
Level 1

‎12-15-2011 11:30 AM

Just wanted to add/ simplify my question:

If I am changing the outside interface ip address of my PIX, with an existing site-to-site tunnel, all I should really have to do is add the new peer address to the existing crypto map, and clone the existing "crypto isakmp key" statement with the new ip address on the remote site router, correct?  Is a PIX reboot required after changing the outside IP address?

0 Helpful

mike.welker
Level 1
Level 1
In response to mike.welker

‎12-20-2011 06:10 AM

Disregard.  We just received a shiny new ASA 5510.  I am going to work on creating a secondary site-to-site tunnel to this new device, so we will be able to switch over with almost no outage.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents