meade470
asked on
Bring up an IPSEC tunnel across two PIXes.
I established a VPN two months ago using 2 PIX's as a redundancy measure in the event that a T1 failed. I verified it worked by taking the T1 down (traffic routed automatically through the VPN). For two months no traffic has gone through the tunnel. A "show crypto isakmp sa" returns the following info:
Total : 0
Embryonic : 0
dst src state pending created
My question: How can I generate traffic through the tunnel to test that it is still available (without restructuring my routing table)?
Thanks!!!
Total : 0
Embryonic : 0
dst src state pending created
My question: How can I generate traffic through the tunnel to test that it is still available (without restructuring my routing table)?
Thanks!!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
lrmoore (or anyone else),
I created traffic that I was certain would go across the VPN tunnel. Here's a cut-and-paste:
==========================
MYPIX# ping 192.168.19.x
192.168.19.x NO response received -- 1000ms
192.168.19.x NO response received -- 1000ms
192.168.19.x NO response received -- 1000ms
MYPIX# show isakmp sa
Total : 1
Embryonic : 1
dst src state pending created
66.xx.xx.xx 68xx.xx.xx MM_KEY_EXCH 0 0
MYPIX# show isakmp sa
Total : 1
Embryonic : 1
dst src state pending created
66.xx.xx.xx 68.xx.xx.xx MM_KEY_EXCH 0 0
MYPIX# show isakmp sa
Total : 0
Embryonic : 0
dst src state pending created
==========================
It looks like the tunnel is trying to negotiate keys--just unsuccesfully. I have made no configuration changes since the tunnel was working successfully. Isn't there a specific way/order to tear down and rebuild the crypto maps on the interfaces? I tried a "no crypto" but this didn't work.
Thanks!
I created traffic that I was certain would go across the VPN tunnel. Here's a cut-and-paste:
==========================
MYPIX# ping 192.168.19.x
192.168.19.x NO response received -- 1000ms
192.168.19.x NO response received -- 1000ms
192.168.19.x NO response received -- 1000ms
MYPIX# show isakmp sa
Total : 1
Embryonic : 1
dst src state pending created
66.xx.xx.xx 68xx.xx.xx MM_KEY_EXCH 0 0
MYPIX# show isakmp sa
Total : 1
Embryonic : 1
dst src state pending created
66.xx.xx.xx 68.xx.xx.xx MM_KEY_EXCH 0 0
MYPIX# show isakmp sa
Total : 0
Embryonic : 0
dst src state pending created
==========================
It looks like the tunnel is trying to negotiate keys--just unsuccesfully. I have made no configuration changes since the tunnel was working successfully. Isn't there a specific way/order to tear down and rebuild the crypto maps on the interfaces? I tried a "no crypto" but this didn't work.
Thanks!
ASKER
I was able to fix this by re-entering my keys.
Thanks for the tips, lrmoore!
Thanks for the tips, lrmoore!
Glad you're working! Thanks for the points!
ASKER
I added the lines (one to each PIX). I then pinged from one PIX to the other and received a response. Afterward, the "show crypto isakmp sa" still returned the same results, showing no tunnel. Can I correctly assume the tunnel is down, or is it possible that the ping traversed our internal network and simply skipped the VPN tunnel? Is there a way I can verify the path it takes? I don't see an option for "trace route" in the PIX.
Thanks!