Learn how to a build a cloud-first strategyRegister Now


Cisco PIX 501: VPN Tunnel doesn't reconnect after PIX reboot

Posted on 2006-05-02
Medium Priority
Last Modified: 2012-06-22
I have a 501 PIX running a VPN to another 501 though the internet at another location. I had to shut down the PIX on one end so I could move some equipment. After I boot it back up, the VPN tunnel doesn't reconnect. Before the shut down, everything was working fine, so I don't believe it is a configuration error.

I had this problem once before, quite a while ago, and, like an idiot, I didn't write down the fix. I believe it has something to do with resetting the VPN is some way so it can reconnect. Let me know...

High points are due to the urgency of the fix. Just in case, here is the config...

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password c.WQcaqN2RaDxaDI encrypted
passwd c.WQcaqN2RaDxaDI encrypted
hostname xxx
domain-name xxx.com
fixup protocol dns maximum-length 1024
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list out permit icmp any any
access-list out permit tcp any host 64.207.xxx.xxx eq smtp
access-list out permit tcp any host 64.207.xxx.xxx eq www
access-list out permit tcp any host 64.207.xxx.xxx eq 3389
access-list out permit tcp any host 64.207.xxx.xxx eq 3389
access-list out permit tcp any host 64.207.xxx.xxx eq pop3
access-list out permit tcp any host 64.207.xxx.xxx eq 4662
access-list VPN-nonat permit ip
access-list VPN_Trenton permit ip

pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 64.207.xxx.xxx
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 10 64.207.xxx.xxx
global (outside) 2 64.207.xxx.xxx
nat (inside) 0 access-list VPN-nonat
nat (inside) 10 0 0
nat (inside) 2 0 0
nat (inside) 1 0 0
static (inside,outside) tcp 64.207.xxx.xxx 3389 3389 netmask 255.255.25
5.255 0 0
static (inside,outside) tcp 64.207.xxx.xxx www www netmask 255.255.255.
255 0 0
static (inside,outside) tcp 64.207.xxx.xxx smtp smtp netmask 255.255.25
5.255 0 0
static (inside,outside) tcp 64.207.xxx.xxx 3389 3389 netmask 255.255.25
5.255 0 0
static (inside,outside) tcp 64.207.xxx.xxx pop3 pop3 netmask 255.255.25
5.255 0 0
static (inside,outside) tcp 64.207.xxx.xxx 3389 3389 netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 64.207.xxx.xxx 4662 4662 netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 64.207.xxx.xxx www www netmask 255.255.255
.255 0 0
access-group out in interface outside
route outside 64.207.xxx.xxx 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map VPN_xxx 20 ipsec-isakmp
crypto map VPN_xxx 20 match address VPN_Trenton
crypto map VPN_xxx 20 set peer 12.39.xxx.xxx
crypto map VPN_xxx 20 set transform-set strong
crypto map VPN_xxx interface outside
isakmp enable outside
isakmp key ******** address 12.39.xxx.xxx netmask
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end
Question by:brainbolt
  • 2
LVL 10

Expert Comment

ID: 16592528
Since we do not have the configuration on the other end, and assuming you have to reset the VPN tunnel, try running the following on both pix boxes.

clear crypto isakmp
clear crypto sa

If this does not help, post your output from the following commands:

show crypto ipsec sa
show crypto isakmp
LVL 20

Accepted Solution

calvinetter earned 2000 total points
ID: 16593172
Is the other PIX also running 6.3 series? And if the other PIX has either of the following lines, you'll need to add them to the PIX above:
  isakmp identity address
  isakmp nat-traversal <some #>

  I see above that you have the following:
>isakmp policy 9 encryption 3des
>isakmp policy 9 hash sha
>isakmp policy 9 group 1
  Is the other side set up identically??  If using "3des" & "sha" you should instead use "group 2" to avoid problems.

Also, just be aware that even if both sides are properly configured with identical ipsec & isakmp parameters, the tunnel won't come up until you start sending traffic from one network to the other.


Author Comment

ID: 16593435
It looks like the tunnel was reestablished by the initiation of traffic. I wasn't able to make any changes for a few hours, and when I returned, it was reconnected.

Thanks for your fast assistance. By the way, how do I set naveedb's answer as an assist? I believe those are the commands I was originally looking for...
LVL 20

Expert Comment

ID: 16593879
Post a request in the support area: http://www.experts-exchange.com/Community_Support/ 
  with a link to this post, asking a moderator to either split points as you request or to re-open the question to you can split pts yourself.


Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question