Hello, I´m having two problems with four VPN´s mounted on a PIX 515E connected to the Internet by a direct concection. Other peers are Linksys BEFSX41 with DSL.
1) I set up different crypto maps (each one with it´s own isakmp key), associating those keys with the remote peer IP address (Two peers have static IP address). The problem is this: the other two peers have dynamic ip addresses. I configured one crypto dynamic-map for one of them, using a preshared-key associated to the ip 0.0.0.0 netmask 0.0.0.0
How can I configure ANOTHER DIFFERENT preshared-key for the second crypto dynamic-map, if it has dynamic IP address too?
2) Two VPN´s are working perfect, but one of them in a random time (2 days aprox) hangs and don´t work any more.
When it happened I ran show isakmp sa in the pix. It says that there are:
Total : 583
Embryonic : 0
And it gave me a list of the 583 connections, all in a QM_IDLE state.
What does it mean? Where can I found any information about this problem? Why one VPN works perfect and the other hangs if both are configured in the same way?
1. unfortunately, one single key has to be deployed for all ezvpn client.
2. is this happening frequently? it's fine if it happens only once or twice; as sometimes vpn freezes and pix/router won't be able to rebuild the tunnel automatically. what you need to do then is do "clear crypto ips sa peer " and/or "clear crypto sa peer ". alternatively, with an extreme case, you may un-apply the crypto map and re-apply the crypto map again.
You can create a remote access group instead of the site to site if the devices on the other end can work as VPN clients. This way you can map each device a different group and all of them can connect in the same time.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :