?
Solved

Bring up an IPSEC tunnel across two PIXes.

Posted on 2005-03-19
5
Medium Priority
?
526 Views
Last Modified: 2013-11-16
I established a VPN two months ago using 2 PIX's as a redundancy measure in the event that a T1 failed.  I verified it worked by taking the T1 down (traffic routed automatically through the VPN).  For two months no traffic has gone through the tunnel.  A "show crypto isakmp sa" returns the following info:

Total     : 0
Embryonic : 0
        dst               src        state     pending     created

My question:  How can I generate traffic through the tunnel to test that it is still available (without restructuring my routing table)?

Thanks!!!

0
Comment
Question by:meade470
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 13583272
Add your two PIX's public ips to the crypto map access-list

access-list cyptomap_40 permit ip host <mypublic IP> host <remotepublic IP>

now pinging from pix to pix should bring up the tunnel so you can see it.
0
 
LVL 2

Author Comment

by:meade470
ID: 13590823
lrmoore,

I added the lines (one to each PIX).  I then pinged from one PIX to the other and received a response.  Afterward, the "show crypto isakmp sa" still returned the same results, showing no tunnel.  Can I correctly assume the tunnel is down, or is it possible that the ping traversed our internal network and simply skipped the VPN tunnel?  Is there a way I can verify the path it takes?  I don't see an option for "trace route" in the PIX.

Thanks!
0
 
LVL 2

Author Comment

by:meade470
ID: 13591040
lrmoore (or anyone else),

I created traffic that I was certain would go across the VPN tunnel.  Here's a cut-and-paste:

============================================================

MYPIX# ping 192.168.19.x
        192.168.19.x NO response received -- 1000ms
        192.168.19.x NO response received -- 1000ms
        192.168.19.x NO response received -- 1000ms

MYPIX# show isakmp sa
Total     : 1
Embryonic : 1
        dst               src        state     pending     created
   66.xx.xx.xx     68xx.xx.xx    MM_KEY_EXCH   0           0


MYPIX# show isakmp sa
Total     : 1
Embryonic : 1
        dst               src        state     pending     created
   66.xx.xx.xx     68.xx.xx.xx MM_KEY_EXCH   0           0


MYPIX# show isakmp sa
Total     : 0
Embryonic : 0
        dst               src        state     pending     created

================================================

It looks like the tunnel is trying to negotiate keys--just unsuccesfully.  I have made no configuration changes since the tunnel was working successfully.  Isn't there a specific way/order to tear down and rebuild the crypto maps on the interfaces?  I tried a "no crypto" but this didn't work.  

Thanks!






0
 
LVL 2

Author Comment

by:meade470
ID: 13593070
I was able to fix this by re-entering my keys.

Thanks for the tips, lrmoore!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13593840
Glad you're working! Thanks for the points!
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question