cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
790
Views
0
Helpful
2
Replies

pix 501 to ios tunnel dropping randomly

acomiskey
Level 10
Level 10

I have a vpn tunnel configured between a pix 501 and 7200 router. The tunnel works fine until at some point during the day it stops working and am unable to bring it back up unless I clear out all the sa's on both sides. The tunnel then comes back up. I have included debugs from both ends and the relevant configuration. Any help would be appreciated. Thanks.

2 Replies 2

acomiskey
Level 10
Level 10

I changed the p2 lifetime on router to 28800 to match pix. We'll see what happens.

Ok, so the tunnel is failing once phase 1 times out. It is attempting to rekey but the router is using the wrong isakmp profile/keyring. Therefore the pre-shared keys aren't matching.

ISAKMP: Looking for a matching key for 99.36.x.x in default

ISAKMP: Looking for a matching key for 99.36.x.x in location1

ISAKMP: Looking for a matching key for 99.36.x.x in location2

ISAKMP: Looking for a matching key for 99.36.x.x in location3

ISAKMP: Looking for a matching key for 99.36.x.x in location4

ISAKMP: Looking for a matching key for 99.36.x.x in location5

ISAKMP: Looking for a matching key for 99.36.x.x in location6

ISAKMP: Looking for a matching key for 99.36.x.x in location7

ISAKMP: Looking for a matching key for 99.36.x.x in location8

ISAKMP: Looking for a matching key for 99.36.x.x in location9

ISAKMP: Looking for a matching key for 99.36.x.x in location10 : success

The problem here is it should match "location12".

Here is my keyring config.

crypto keyring location1

pre-shared-key address 72.x.x.x key *

crypto keyring location2

pre-shared-key address 75.x.x.x key *

crypto keyring location3

pre-shared-key address 99.x.x.x key *

crypto keyring location4

pre-shared-key address 12.x.x.x key *

crypto keyring location5

pre-shared-key address 216.x.x.x key *

crypto keyring location6

pre-shared-key address 151.x.x.x key *

crypto keyring location7

pre-shared-key address 72.x.x.x key *

crypto keyring location8

pre-shared-key address 71.x.x.x key *

crypto keyring location9

pre-shared-key address 98.x.x.x key *

crypto keyring location10

pre-shared-key address 0.0.0.0 0.0.0.0 key *

crypto keyring location11

pre-shared-key address 70.x.x.x key *

crypto keyring location12

pre-shared-key address 99.36.x.x key *

I suppose this is happening because it matches "0.0.0.0 0.0.0.0" before it gets to 99.36.x.x. If this is the case, why does the tunnel ever come up in the first place? Do I have to move the "location10" keyring to the bottom of the list?