Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Bring up an IPSEC tunnel across two PIXes.

Posted on 2005-03-19
5
Medium Priority
?
528 Views
Last Modified: 2013-11-16
I established a VPN two months ago using 2 PIX's as a redundancy measure in the event that a T1 failed.  I verified it worked by taking the T1 down (traffic routed automatically through the VPN).  For two months no traffic has gone through the tunnel.  A "show crypto isakmp sa" returns the following info:

Total     : 0
Embryonic : 0
        dst               src        state     pending     created

My question:  How can I generate traffic through the tunnel to test that it is still available (without restructuring my routing table)?

Thanks!!!

0
Comment
Question by:meade470
  • 3
  • 2
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 13583272
Add your two PIX's public ips to the crypto map access-list

access-list cyptomap_40 permit ip host <mypublic IP> host <remotepublic IP>

now pinging from pix to pix should bring up the tunnel so you can see it.
0
 
LVL 2

Author Comment

by:meade470
ID: 13590823
lrmoore,

I added the lines (one to each PIX).  I then pinged from one PIX to the other and received a response.  Afterward, the "show crypto isakmp sa" still returned the same results, showing no tunnel.  Can I correctly assume the tunnel is down, or is it possible that the ping traversed our internal network and simply skipped the VPN tunnel?  Is there a way I can verify the path it takes?  I don't see an option for "trace route" in the PIX.

Thanks!
0
 
LVL 2

Author Comment

by:meade470
ID: 13591040
lrmoore (or anyone else),

I created traffic that I was certain would go across the VPN tunnel.  Here's a cut-and-paste:

============================================================

MYPIX# ping 192.168.19.x
        192.168.19.x NO response received -- 1000ms
        192.168.19.x NO response received -- 1000ms
        192.168.19.x NO response received -- 1000ms

MYPIX# show isakmp sa
Total     : 1
Embryonic : 1
        dst               src        state     pending     created
   66.xx.xx.xx     68xx.xx.xx    MM_KEY_EXCH   0           0


MYPIX# show isakmp sa
Total     : 1
Embryonic : 1
        dst               src        state     pending     created
   66.xx.xx.xx     68.xx.xx.xx MM_KEY_EXCH   0           0


MYPIX# show isakmp sa
Total     : 0
Embryonic : 0
        dst               src        state     pending     created

================================================

It looks like the tunnel is trying to negotiate keys--just unsuccesfully.  I have made no configuration changes since the tunnel was working successfully.  Isn't there a specific way/order to tear down and rebuild the crypto maps on the interfaces?  I tried a "no crypto" but this didn't work.  

Thanks!






0
 
LVL 2

Author Comment

by:meade470
ID: 13593070
I was able to fix this by re-entering my keys.

Thanks for the tips, lrmoore!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13593840
Glad you're working! Thanks for the points!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question