VPN Site to Site by using PIX and IOS on 2600 Cisco Series and 2600XM

aessome · ‎11-30-2002

Hello VPN Guru,

we are using a VPN between HQ(PIX)-------> Branch (2600)

at the moment there are 8 Branch offices connected. PIX OS 6.1(1) and 2600 (12.0(7)T or 12.11 T sometime it is not possible to sennd Data throught the tunnel: show crypto is sa will display QM-IDLE on bozh side but no ping or no data transfer possibility until we clear the isakmp and ipsec sa´s and create the new tunnel

is this a IOS or PIX OS issue ? if yes please let my know wich OS is better to use..

thanks for any help

Alain

kdurrett · ‎12-02-2002

Wow, 12.07T. Back when there was only 12.0 that was code to run for ipsec but it had some quirks. Specifically with fast switching. On that router running 12.07T, turn fast switching off on LAN, On on the WAN interfaces. "no ip route-cache" on LAN and "ip route-cache"(which is default so you wont see it) on the WAN. Not sure if on your second IOS version, since 12.11T isn't out yet. Is that 12.1.1T or 12.2.11T? If its 12.1.1T you need to get out of that and go down to 12.07T or up to 12.1.5T9 or higher, 12.2.11T2. FYI, 12.1.5T9 also had the fast switching problem, but it needs to be turned off on both interfaces and not just the LAN, "no ip route-cache". But yes, it could be the pix as well, but more than likely i'd think its the routers. 6.1.1 is longer available for download from CCO which means its been pulled, for one reason or another so try the router fix, if still problem, maybe upgrade the pix as well.

Kurtis Durrett

aessome · ‎12-03-2002

Thanks Kurtis for your reply,

please see my config and tell if the change ist correct and what ist with the loopback1 ? may i configure ip route-cache or not ?

there are two design

1) Router with 12.07T

-----Fast Eth 0/0 (ROUTER) ------Serial 0/0:0

interface Loopback1

ip address 195.126.126.17 255.255.255.252

no ip directed-broadcast

!

interface FastEthernet0/0

ip address 10.60.3.254 255.255.255.0

no ip directed-broadcast

no ip route-cache

no ip mroute-cache

speed 100

full-duplex

!

interface Serial0/0:0

bandwidth 1984

ip address 139.4.134.58 255.255.255.252

ip access-group 110 in

no ip directed-broadcast

encapsulation ppp

ip mroute-cache

no fair-queue

crypto map DVAG

crypto map DVAG local-address Loopback1

----------------------------------------------------------------

what is about this design where may i do the change ?

Thanks

2) Router with 12.2(11)T

----(Telco Router)---Eth----fast Eth0/0 (Customer Router)----Fast Eth 0/1

interface FastEthernet0/0

ip address 80.154.4.34 255.255.255.248

ip access-group 110 in

speed 10

half-duplex

crypto map DVAG

!

interface FastEthernet0/1

ip address 10.60.13.254 255.255.255.0

speed 100

full-duplex

crypto map DVAG local-address FastEthernet0/0

Thanks for any help

Alain

kdurrett · ‎12-03-2002

Alain,

Honestly, I'd upgrade all three devices if possible. From the information you have provided it looks right. The fast switching is configured correctly on your interfaces and it doesn't matter on the loopback. Couple of this could be at work here that we can't see with whats provided. Like access-group 110, firewall feature sets(doesn't matter whether its applied or not, need to know if you have it on either router), your crypto map configuration(like SA times or keepalives). Pix to 6.2.2 and ios to 12.2.8T5. Personally I haven't worked with the 12.2.11T2 or 12.2.13T so I don't know how those are running yet. If there was a number one choice, i'd upgrade the pix first and check to see if the problem goes away.

Kurtis Durrett