Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
274
Views
0
Helpful
3
Replies

Problems with VPN´s

gmssac
Level 1
Level 1

‎01-05-2006 07:01 AM

Hello, I´m having two problems with four VPN´s mounted on a PIX 515E connected to the Internet by a direct concection. Other peers are Linksys BEFSX41 with DSL.

1) I set up different crypto maps (each one with it´s own isakmp key), associating those keys with the remote peer IP address (Two peers have static IP address). The problem is this: the other two peers have dynamic ip addresses. I configured one crypto dynamic-map for one of them, using a preshared-key associated to the ip 0.0.0.0 netmask 0.0.0.0

How can I configure ANOTHER DIFFERENT preshared-key for the second crypto dynamic-map, if it has dynamic IP address too?

2) Two VPN´s are working perfect, but one of them in a random time (2 days aprox) hangs and don´t work any more.

When it happened I ran show isakmp sa in the pix. It says that there are:

Total : 583

Embryonic : 0

And it gave me a list of the 583 connections, all in a QM_IDLE state.

What does it mean? Where can I found any information about this problem? Why one VPN works perfect and the other hangs if both are configured in the same way?

I´m new in Cisco PIX...

Thank you for your help!!!

Alejandro.

Labels:
0 Helpful
3 Replies 3

jackko
Level 7
Level 7

‎01-10-2006 10:04 AM

1. unfortunately, one single key has to be deployed for all ezvpn client.

2. is this happening frequently? it's fine if it happens only once or twice; as sometimes vpn freezes and pix/router won't be able to rebuild the tunnel automatically. what you need to do then is do "clear crypto ips sa peer " and/or "clear crypto sa peer ". alternatively, with an extreme case, you may un-apply the crypto map and re-apply the crypto map again.

0 Helpful

sarat1317
Level 1
Level 1
In response to jackko

‎12-29-2006 09:15 AM

Hi Jack

So is the only option to get static IPs from ISP if we have multiple sites?

regards

venkat

0 Helpful

5220
Level 4
Level 4

‎01-04-2007 01:19 AM

Hi Alejandro,

You can create a remote access group instead of the site to site if the devices on the other end can work as VPN clients. This way you can map each device a different group and all of them can connect in the same time.

See http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008019e6d7.shtml

However, asking the ISP to provide you static IPs and do site-to-site is better, due to the fact that in a remote-access scenario only the client can initiate the connection.

Rate if this helped.

Daniel

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents