Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
760
Views
0
Helpful
4
Replies

Remove Crytpo Map and Pix locks up

tony.hanson
Level 4
Level 4

‎10-12-2004 05:49 PM - edited ‎02-20-2020 11:40 PM

We have a site to site VPN and we are migrating to a new DSL connection on one side and when I went to remove the crypto map so I could put in the new peer address the pix locks up. I've had this happen before and know that there is a procedure to prevent this but don't know what it is. All I'm trying to do is change the address from the: "crypto map AMLVPN 10 set peer xx.xx.xx.xxx" to the new IP address of the new DSL connection.

0 Helpful
4 Replies 4

Patrick Iseli
Level 11
Level 11

‎10-13-2004 10:51 AM

Use this commands to clear/reset all connections:

clear ipsec sa

clear isakmp sa

Use this command to reset a specific VPN peer:

clear [crypto] ipsec sa entry destination-address protocol spi

clear [crypto] ipsec sa map map-name

clear [crypto] ipsec sa peer

Command reference FOS ver 6.3:

crypto ipsec

------------

Create, view, or delete IPSec security associations, security association global lifetime values, and global transform sets.

[no] crypto ipsec security-association lifetime seconds seconds | kilobytes kilobytes

crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]

crypto ipsec transform-set transform-set-name mode transport

[no] crypto ipsec transform-set trans-name [ah-md5-hmac | ah-sha-hmac] [esp-aes |esp-aes-192 | esp-aes-256| esp-des | esp-3des| esp-null] [esp-md5-hmac | esp-sha-hmac]

clear [crypto] ipsec sa

clear [crypto] ipsec sa counters

clear [crypto] ipsec sa entry destination-address protocol spi

clear [crypto] ipsec sa map map-name

clear [crypto] ipsec sa peer

show crypto ipsec security-association lifetime

show crypto ipsec transform-set [tag transform-set-name]

show crypto ipsec sa [map map-name | address | identity] [detail]

See in the command reference for more details:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a6.html#wp1026972

sincerely

Patrick

0 Helpful

subaa
Level 3
Level 3

‎10-13-2004 12:12 PM

Hi,

The order of the commands is really important. Do the following

1) disable isakmp on the interface in question

2) clear the crypto map from the interface

3) modify the crypto map definition (e.g. peer)

4) clear the SAs.

5) put the cry map back to the interface

6) reenable the isakmp on the interface

In config:

no cry isak en outside

no cry map AMLVPN int outside

no cry map AMLVPN 10 set peer A.B.C.D

cry map AMLVPN 10 set peer D.C.B.A

cle cry ips sa

cle cry sa

cle cry isa sa

cry map AMLVPN int outside

isak en outside

If you follow this order, it works. I often migrate my clients w/ this, even if they are 2000 Km far from here... 😄

SubAa

0 Helpful

tony.hanson
Level 4
Level 4
In response to subaa

‎10-13-2004 12:32 PM

Thanks for your input, I will try this tonight and reply tomorrow and let you know.

0 Helpful

tony.hanson
Level 4
Level 4
In response to subaa

‎10-14-2004 04:30 AM

Worked out well.

Thanks!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card