We have seen with some non-Cisco devices, it is manadatory to have the PFS enabled and in some cases it would just not work with PFS. So, except those specific non-Cisco devices we would always suggest having the PFS disabled.
Moreover, unless we look at the debugs we can not confirm whether PFS is the problem or something else. On the whole, we can say that we need to confirm that the configuration matches on both the devices. In many cases I have personally seen that the Linksys device is misconfigured that causes the problems. So please make sure that the phase 1 and phase 2 policies like encryption, hash, lifetimes etc match. Crypto ACLs should be the reflection of each other. Peer IP should be correct on each end and PFS should be disabled.
Not much luck so far. I turned off pfs and double and triple checked that my transform and IPSec setting on the Linksys match.
My crypto map has an entry for both subnets with the inside address as the first address.
One of the tunnels comes and works fine. Negotiates ISAKMP and extended pings no problem.
I can initiate the second tunnel (from the linksys) and it comes up. The problem begins as soon as I try to send traffic thru the second tunnel. Several pings will get thru and then a couple of time outs. The process repeats until I stop the ping on the second tunnel.
It looks like each ping packet on the second tunnel causes ISAKMP to re-initialize. I plan on calling support tomorrow if no one has any ideas.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...