Cisco PIX 501: VPN Tunnel doesn't reconnect after PIX reboot

Posted on 2006-05-02
Last Modified: 2012-06-22
I have a 501 PIX running a VPN to another 501 though the internet at another location. I had to shut down the PIX on one end so I could move some equipment. After I boot it back up, the VPN tunnel doesn't reconnect. Before the shut down, everything was working fine, so I don't believe it is a configuration error.

I had this problem once before, quite a while ago, and, like an idiot, I didn't write down the fix. I believe it has something to do with resetting the VPN is some way so it can reconnect. Let me know...

High points are due to the urgency of the fix. Just in case, here is the config...

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password c.WQcaqN2RaDxaDI encrypted
passwd c.WQcaqN2RaDxaDI encrypted
hostname xxx
fixup protocol dns maximum-length 1024
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list out permit icmp any any
access-list out permit tcp any host eq smtp
access-list out permit tcp any host eq www
access-list out permit tcp any host eq 3389
access-list out permit tcp any host eq 3389
access-list out permit tcp any host eq pop3
access-list out permit tcp any host eq 4662
access-list VPN-nonat permit ip
access-list VPN_Trenton permit ip

pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 10
global (outside) 2
nat (inside) 0 access-list VPN-nonat
nat (inside) 10 0 0
nat (inside) 2 0 0
nat (inside) 1 0 0
static (inside,outside) tcp 3389 3389 netmask 255.255.25
5.255 0 0
static (inside,outside) tcp www www netmask 255.255.255.
255 0 0
static (inside,outside) tcp smtp smtp netmask 255.255.25
5.255 0 0
static (inside,outside) tcp 3389 3389 netmask 255.255.25
5.255 0 0
static (inside,outside) tcp pop3 pop3 netmask 255.255.25
5.255 0 0
static (inside,outside) tcp 3389 3389 netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 4662 4662 netmask 255.255.2
55.255 0 0
static (inside,outside) tcp www www netmask 255.255.255
.255 0 0
access-group out in interface outside
route outside 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map VPN_xxx 20 ipsec-isakmp
crypto map VPN_xxx 20 match address VPN_Trenton
crypto map VPN_xxx 20 set peer
crypto map VPN_xxx 20 set transform-set strong
crypto map VPN_xxx interface outside
isakmp enable outside
isakmp key ******** address netmask
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end
Question by:brainbolt
    LVL 10

    Expert Comment

    Since we do not have the configuration on the other end, and assuming you have to reset the VPN tunnel, try running the following on both pix boxes.

    clear crypto isakmp
    clear crypto sa

    If this does not help, post your output from the following commands:

    show crypto ipsec sa
    show crypto isakmp
    LVL 20

    Accepted Solution

    Is the other PIX also running 6.3 series? And if the other PIX has either of the following lines, you'll need to add them to the PIX above:
      isakmp identity address
      isakmp nat-traversal <some #>

      I see above that you have the following:
    >isakmp policy 9 encryption 3des
    >isakmp policy 9 hash sha
    >isakmp policy 9 group 1
      Is the other side set up identically??  If using "3des" & "sha" you should instead use "group 2" to avoid problems.

    Also, just be aware that even if both sides are properly configured with identical ipsec & isakmp parameters, the tunnel won't come up until you start sending traffic from one network to the other.

    LVL 2

    Author Comment

    It looks like the tunnel was reestablished by the initiation of traffic. I wasn't able to make any changes for a few hours, and when I returned, it was reconnected.

    Thanks for your fast assistance. By the way, how do I set naveedb's answer as an assist? I believe those are the commands I was originally looking for...
    LVL 20

    Expert Comment

    Post a request in the support area:  
      with a link to this post, asking a moderator to either split points as you request or to re-open the question to you can split pts yourself.


    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Join & Write a Comment

    Article by: IanTh
    Hi Guys After a whole weekend getting wake on lan over the internet working, I thought I would share the experience. Your firewall has to have a port forward for port 9 udp to your local broadcast x.x.x.255 but if that doesnt work, do it to a …
    Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now