I have a router with two Internet connections, which is then connected to a PIX behind it. All vpn inbound connections are sent (by using static translations) to the PIX using Internet link 1 and it works fine. I then made another connection between the router and PIX and sent vpn traffic to it using Internet link 2.
The problem is whenever I try to VPN using the Internet link 2 interface the connection will not establish and the show crypto isakmp sa gives me the output AG_INIT_EXCH.
I am not sure that there is enough information provided for us to really understand the issue or to give you possible solutions. Your description talks about the router with 2 Internet connections, where VPN traffic comes over one connection and is sent to the PIX using some translation mechanism. They you describe creating another connection from the router to the PIX (at least I think that is what you are describing) and trying to send traffic over the second connection.
From that description my first guess is that there is something in the translation mechanism that is the issue. Is it possible that the traffic arrives over the second connection but the response goes back on the first connection (as normal traffic would do)? It may be that the assymetric path there is the problem.
If you provide a bit more detail about the environment and perhaps relevant parts of the config then perhaps we could give you better answers.
So, the VPN Tunnel that you are talking about, is this Remote Access or L2L. Based upon the debug message "AG_INIT_EXCH", I am going to assume that this is Remote Access users and explain below why this was not working. If this is a L2L Tunnel, please provide some additional details.
The second connection between the Pix and Router, is this like a DMZ link or are you doing VLAN Sub Interfaces to the router. Also, Where is the default gateway on the pix pointing to. If remote users are connecting to the pix, then the return traffic is going to follow the default gateway and take Internet Link 1 instead of Link 2. And this is probably why your tunnel is getting stuck at AG_INIT_EXCH.
I guess you are both correct it could be a routing issue and yes it is remote access vpn but let me clarify. The PIX has two links to the router, both interfaces are configured as outside interfaces on the PIX, outside and outside2, the default route uses the outside interface. The router has static translations for vpn traffic and sends it to the outside and outside2 interface.
What i want is if internet link 1 goes down then vpn traffic can come in on internet link 2. The router is setup such that if internet link 1 goes down then vpn traffic coming from the PIX well be sent over internet link 2. Could it be that I need to change the default route on the PIX to use outside2 to get it to work when a failure occurs.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :