topic Re: PIX 535 x aes in Network Security https://community.cisco.com/t5/network-security/pix-535-x-aes/m-p/458975#M557231 <HTML><HEAD></HEAD><BODY><P>Does the 535-506E not initialize the VPN, or just not pass the traffic? </P><P></P><P>Verify that all Pix's have the same IKE Policies and IPSec transform sets. Also verify that the IKE Policies have the same priority. I'm assuming the IPSec priorities are ok if it works with DES.</P><P></P><P>If the IKE policies match, but IPSec transform sets do not, the VPN can be initialized, but the traffic will fail. Verify the existing IKE (Phase 1) tunnels by using 'sh cry is sa'. A healthy tunnel should be in 'QM_IDLE' mode. Verify IPSec (Phase 2) by using 'sh cry ip sa'. This will show you the number of sent, received, and error packets.</P><P></P><P>Note- I've been very happy with AES-128. AES-256 killed system resources on 501 and 506s.</P></BODY></HTML> Wed, 15 Jun 2005 19:22:50 GMT pkinzel 2005-06-15T19:22:50Z PIX 535 x aes https://community.cisco.com/t5/network-security/pix-535-x-aes/m-p/458974#M557229 <P>I'm trying to migrate from DES to AES and my net has PIX 506E, 515 and 535. When the VPN is estabilished between 515-506E both side can initialize it. But between 535-506E only the 506E initialize the VPN.</P><P></P><P>If I return to DES the VPN works ok. </P><P></P><P>Is it correct?</P><P></P><P>Tks,</P><P></P><P>Marcelo</P> Fri, 21 Feb 2020 08:12:11 GMT https://community.cisco.com/t5/network-security/pix-535-x-aes/m-p/458974#M557229 marcelo.rosas 2020-02-21T08:12:11Z Re: PIX 535 x aes https://community.cisco.com/t5/network-security/pix-535-x-aes/m-p/458975#M557231 <HTML><HEAD></HEAD><BODY><P>Does the 535-506E not initialize the VPN, or just not pass the traffic? </P><P></P><P>Verify that all Pix's have the same IKE Policies and IPSec transform sets. Also verify that the IKE Policies have the same priority. I'm assuming the IPSec priorities are ok if it works with DES.</P><P></P><P>If the IKE policies match, but IPSec transform sets do not, the VPN can be initialized, but the traffic will fail. Verify the existing IKE (Phase 1) tunnels by using 'sh cry is sa'. A healthy tunnel should be in 'QM_IDLE' mode. Verify IPSec (Phase 2) by using 'sh cry ip sa'. This will show you the number of sent, received, and error packets.</P><P></P><P>Note- I've been very happy with AES-128. AES-256 killed system resources on 501 and 506s.</P></BODY></HTML> Wed, 15 Jun 2005 19:22:50 GMT https://community.cisco.com/t5/network-security/pix-535-x-aes/m-p/458975#M557231 pkinzel 2005-06-15T19:22:50Z