VPN IP errors

mbluemel · ‎11-15-2006

I have a site to site between my office and a customer using two Pix 515E's. As my office has moved there is a new ip address at my office end. I have been to the clients site and changed the peer address to correspond but it will not connect. When debugging it appears that it is still trying to connect to the old ip address even though there is nothing in the config that relates to that address now. Has anyone come across this before and if so how did you resolve it.

m.sir · ‎11-15-2006

can you try commands

clear crypto isakmp sa

clear crypto ipsec sa

M.

mbluemel · ‎11-16-2006

I have tried the clear crypto ipsec sa and clear crypto isakmp sa but that didnt work.

nicholash101 · ‎11-15-2006

I'm no expert but I know that there are some changes made to a crypto map that aren't dynamic, such as an access-list change.

Even if you issue a clear ipsec sa command the changes won't be reflected in the sa.

Try unbinding the cyrpto map and then re-binding it to the correct interface.

Also, if you are using PSKs, double check that the line isakmp key... is pointing to the correct address.

minfonet · ‎11-15-2006

Recently i just experienced this issue, we got an IP address change and must change the site-to-site peer. i use "no" to all our crypto map commands and acl, then enable that again. But then i must restarted the pix to get it to the right peer.