i'm just shooting in darkness, but what is that: "710003: ESP access denied by ACL from "router IP"/12304 to PIXINTERF:IP/24081. " Do you have any reflexive lists? And what happen if you not using this connection to transmit data? I mean, did you try just to connect the router to PIX without transmitting any data to see when the connection will be dropped? I believe that this session will going down at exactly 'x' minute every time. If my theory is correct, maybe you have some reflexive lists, which expire after 'x' minutes when PIX stop sending data to the client (router).
When you clear the crypto isakmp sa's, you actually forcing the ISAKMP/IKE daemon to create the new SA's by initiating the UDP/TCP session to port 500 on the remote host. The newly initiated session creates another temporary rule in reflexive lists , and your connection going to transmit data again and again until the PIX stop transmitting data. Then the timeout in reflexive lists expires again, and the temporary created rule is removed.
Maybe i'm wrong , but this is just a guess. However, tell us what was the problem if you solve it!
This document gives several answers on frequently asked questions for PFRv3 channel state behavior.
Q1: What are all the channel operational states from a BR (border role) perspective and what are the rules/conditions to be in each st...
The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921).
The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN.
I couldn't connect to the hos...