Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problems with VPN´s

Hello, I´m having two problems with four VPN´s mounted on a PIX 515E connected to the Internet by a direct concection. Other peers are Linksys BEFSX41 with DSL.

1) I set up different crypto maps (each one with it´s own isakmp key), associating those keys with the remote peer IP address (Two peers have static IP address). The problem is this: the other two peers have dynamic ip addresses. I configured one crypto dynamic-map for one of them, using a preshared-key associated to the ip netmask

How can I configure ANOTHER DIFFERENT preshared-key for the second crypto dynamic-map, if it has dynamic IP address too?

2) Two VPN´s are working perfect, but one of them in a random time (2 days aprox) hangs and don´t work any more.

When it happened I ran show isakmp sa in the pix. It says that there are:

Total : 583

Embryonic : 0

And it gave me a list of the 583 connections, all in a QM_IDLE state.

What does it mean? Where can I found any information about this problem? Why one VPN works perfect and the other hangs if both are configured in the same way?

I´m new in Cisco PIX...

Thank you for your help!!!



Re: Problems with VPN´s

1. unfortunately, one single key has to be deployed for all ezvpn client.

2. is this happening frequently? it's fine if it happens only once or twice; as sometimes vpn freezes and pix/router won't be able to rebuild the tunnel automatically. what you need to do then is do "clear crypto ips sa peer " and/or "clear crypto sa peer ". alternatively, with an extreme case, you may un-apply the crypto map and re-apply the crypto map again.

New Member

Re: Problems with VPN´s

Hi Jack

So is the only option to get static IPs from ISP if we have multiple sites?



Re: Problems with VPN´s

Hi Alejandro,

You can create a remote access group instead of the site to site if the devices on the other end can work as VPN clients. This way you can map each device a different group and all of them can connect in the same time.


However, asking the ISP to provide you static IPs and do site-to-site is better, due to the fact that in a remote-access scenario only the client can initiate the connection.

Rate if this helped.


CreatePlease to create content