VPN with Active/standby PIX 525

ibrahim_hassan · ‎10-24-2011

Hi ,

i am running PIX 7.2 , suddenly one of the operational Site-to-Site VPN is not working, i can see traffic decrypted but not encrypted.

when i make failover on the other unit , the issue resolved.

any one face this issue before?

Ibrahim

Kureli Sankar · ‎10-30-2011

Interesting...Are you sure that both configs are exactly the same?

You do have nat 0 with acl on both units and the crypto ACL matches on both units? Route to the remote network is present during the broken scenario?

You need to failover and troubleshoot the problem.

When this fails to establish the tunnel, what do the syslogs in debug level say?

-Kureli

caseth0102 · ‎11-03-2011

My suggestion here would be to do the following. First, on the unit that has crypto issues, try and clear the SA for the respective tunnel/s. If that doesn't solve it proceed with the following. Issue the 'sh fail' command and make sure your primary 'unit' is the active mate in the pair. Disable 'failover' on the primary. SSH/Telnet or console directly into the 'standby' mate (which should be listed as your secondary in the earlier output). Erase the configuration of the secondary/standby, and re-apply the 'failover conifguration'. Which is litterally 5-6 lines of configuration. Go back into, the primary unit via a mgmt or console session, and re-enable 'failover', and monitor the 'replication messages'. If your conifgurations are not in synch you it will display some erroneous messages. However if you go through these steps you will know for sure if your configurations are synchronized. As Poonguzhali stated, there could be a configuration mismatch.