https://community.cisco.com/t5/network-security/remove-crytpo-map-and-pix-locks-up/m-p/353820#M556436 <HTML><HEAD></HEAD><BODY><P>Thanks for your input, I will try this tonight and reply tomorrow and let you know.</P></BODY></HTML> Wed, 13 Oct 2004 19:32:59 GMT tony.hanson 2004-10-13T19:32:59Z https://community.cisco.com/t5/network-security/remove-crytpo-map-and-pix-locks-up/m-p/353817#M556433 <P>We have a site to site VPN and we are migrating to a new DSL connection on one side and when I went to remove the crypto map so I could put in the new peer address the pix locks up. I've had this happen before and know that there is a procedure to prevent this but don't know what it is. All I'm trying to do is change the address from the: "crypto map AMLVPN 10 set peer xx.xx.xx.xxx" to the new IP address of the new DSL connection.</P> Fri, 21 Feb 2020 07:40:39 GMT https://community.cisco.com/t5/network-security/remove-crytpo-map-and-pix-locks-up/m-p/353817#M556433 tony.hanson 2020-02-21T07:40:39Z https://community.cisco.com/t5/network-security/remove-crytpo-map-and-pix-locks-up/m-p/353818#M556434 <HTML><HEAD></HEAD><BODY><P>Use this commands to clear/reset all connections:</P><P></P><P>clear ipsec sa</P><P>clear isakmp sa</P><P></P><P>Use this command to reset a specific VPN peer:</P><P></P><P>clear [crypto] ipsec sa entry destination-address protocol spi</P><P>clear [crypto] ipsec sa map map-name </P><P>clear [crypto] ipsec sa peer</P><P></P><P>Command reference FOS ver 6.3:</P><P>crypto ipsec</P><P>------------</P><P>Create, view, or delete IPSec security associations, security association global lifetime values, and global transform sets.</P><P></P><P>[no] crypto ipsec security-association lifetime seconds seconds | kilobytes kilobytes</P><P></P><P>crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]</P><P></P><P>crypto ipsec transform-set transform-set-name mode transport</P><P></P><P>[no] crypto ipsec transform-set trans-name [ah-md5-hmac | ah-sha-hmac] [esp-aes |esp-aes-192 | esp-aes-256| esp-des | esp-3des| esp-null] [esp-md5-hmac | esp-sha-hmac]</P><P></P><P>clear [crypto] ipsec sa</P><P></P><P>clear [crypto] ipsec sa counters</P><P></P><P>clear [crypto] ipsec sa entry destination-address protocol spi</P><P></P><P>clear [crypto] ipsec sa map map-name</P><P></P><P>clear [crypto] ipsec sa peer</P><P></P><P>show crypto ipsec security-association lifetime</P><P></P><P>show crypto ipsec transform-set [tag transform-set-name]</P><P></P><P>show crypto ipsec sa [map map-name | address | identity] [detail] </P><P></P><P>See in the command reference for more details:</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a6.html#wp1026972" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a6.html#wp1026972</A></P><P></P><P>sincerely</P><P>Patrick</P></BODY></HTML> Wed, 13 Oct 2004 17:51:21 GMT https://community.cisco.com/t5/network-security/remove-crytpo-map-and-pix-locks-up/m-p/353818#M556434 Patrick Iseli 2004-10-13T17:51:21Z https://community.cisco.com/t5/network-security/remove-crytpo-map-and-pix-locks-up/m-p/353819#M556435 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The order of the commands is really important. Do the following</P><P>1) disable isakmp on the interface in question</P><P>2) clear the crypto map from the interface</P><P>3) modify the crypto map definition (e.g. peer)</P><P>4) clear the SAs.</P><P>5) put the cry map back to the interface</P><P>6) reenable the isakmp on the interface</P><P></P><P>In config:</P><P>no cry isak en outside</P><P>no cry map AMLVPN int outside</P><P>no cry map AMLVPN 10 set peer A.B.C.D</P><P>cry map AMLVPN 10 set peer D.C.B.A</P><P>cle cry ips sa</P><P>cle cry sa</P><P>cle cry isa sa</P><P>cry map AMLVPN int outside</P><P>isak en outside</P><P></P><P></P><P>If you follow this order, it works. I often migrate my clients w/ this, even if they are 2000 Km far from here... <span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:">😄</span></P><P></P><P>SubAa</P><P></P><P></P></BODY></HTML> Wed, 13 Oct 2004 19:12:57 GMT https://community.cisco.com/t5/network-security/remove-crytpo-map-and-pix-locks-up/m-p/353819#M556435 subaa 2004-10-13T19:12:57Z https://community.cisco.com/t5/network-security/remove-crytpo-map-and-pix-locks-up/m-p/353820#M556436 <HTML><HEAD></HEAD><BODY><P>Thanks for your input, I will try this tonight and reply tomorrow and let you know.</P></BODY></HTML> Wed, 13 Oct 2004 19:32:59 GMT https://community.cisco.com/t5/network-security/remove-crytpo-map-and-pix-locks-up/m-p/353820#M556436 tony.hanson 2004-10-13T19:32:59Z https://community.cisco.com/t5/network-security/remove-crytpo-map-and-pix-locks-up/m-p/353821#M556437 <HTML><HEAD></HEAD><BODY><P>Worked out well.</P><P></P><P>Thanks!</P></BODY></HTML> Thu, 14 Oct 2004 11:30:03 GMT https://community.cisco.com/t5/network-security/remove-crytpo-map-and-pix-locks-up/m-p/353821#M556437 tony.hanson 2004-10-14T11:30:03Z