Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
388
Views
0
Helpful
1
Replies

PIX 535 x aes

marcelo.rosas
Community Member

‎06-13-2005 03:39 AM - edited ‎02-21-2020 12:12 AM

I'm trying to migrate from DES to AES and my net has PIX 506E, 515 and 535. When the VPN is estabilished between 515-506E both side can initialize it. But between 535-506E only the 506E initialize the VPN.

If I return to DES the VPN works ok.

Is it correct?

Tks,

Marcelo

0 Helpful
1 Reply 1

pkinzel
Community Member

‎06-15-2005 12:22 PM

Does the 535-506E not initialize the VPN, or just not pass the traffic?

Verify that all Pix's have the same IKE Policies and IPSec transform sets. Also verify that the IKE Policies have the same priority. I'm assuming the IPSec priorities are ok if it works with DES.

If the IKE policies match, but IPSec transform sets do not, the VPN can be initialized, but the traffic will fail. Verify the existing IKE (Phase 1) tunnels by using 'sh cry is sa'. A healthy tunnel should be in 'QM_IDLE' mode. Verify IPSec (Phase 2) by using 'sh cry ip sa'. This will show you the number of sent, received, and error packets.

Note- I've been very happy with AES-128. AES-256 killed system resources on 501 and 506s.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card