Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
249
Views
0
Helpful
1
Replies

PIX 501 to PIX 501 IPSec tunnel problems

hugo.pernicha
Level 1
Level 1

‎05-06-2003 08:17 AM - edited ‎02-21-2020 12:31 PM

I have tunnel established between two sites. The both have PIX501 running version 6.2.2. Lets name the PIXs A and B.Everything works fine, but if, for example) PIX A reboots( due to a power failure for example), after PIX A reboots, I am unable to re-establish the tunnel with traffic from PIX B that stayed connected(and also did not loose its security associations).

I need help on this.

Thanks

Hugo

Labels:
0 Helpful
1 Reply 1

gfullage
Cisco Employee
Cisco Employee

‎05-06-2003 08:59 PM

This is a fairly commomn problem, since there's nothing in the IPSec specification that allows for any sort of keepalive so that one side knows that the other side has gone down. In your case PIX B will happily keep encrypting packets and sending them to PIX A cause it has no idea that PIX A rebooted and has dropped it's tunnels.

For Cisco to Cisco tunnels though, we implemented a keepalive mechanism to get around this problem. Use the command:

> isakmp keepalive 30

to have the PIX's send keepalive packets every 30 seconds, they'll at least be able to detect a failure then and will bring the tunnel down gracefully, a new one can then be rebuilt when traffic starts flowing again.

See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.htm#1027312

0 Helpful
Customers Also Viewed These Support Documents