Solved

Copy Config from PIX 515e to PIX 515e

Posted on 2010-09-23
7
550 Views
Last Modified: 2012-05-10
I have a Cisco 515e PIX version 6.3(5) that has a Failover Only Licesnse.(So it reboots itself every 24 hours)... I need to transfer that Config to another PIX with a Unrestricted License same model and version.  I upload it to my TFTP server and pull it down to the PIx with the (UR) and everything looks and works fine except for one issue.  The PIX has a IPsec site to site VPN tunnel to a remote location that never connects back up.  How can I go about getting this done to get the PIX with the UR licesnse to have the exact same conifg as the PIX with the FO licesnse and not lose the IPsec tunnel settings? I think version 7 would allow this but how do I do it with version 6.3?

Thanks
0
Comment
Question by:walcointl
  • 4
  • 2
7 Comments
 
LVL 16

Expert Comment

by:InteraX
ID: 33745883
What's missing from the ipsec settinggs when you copy the config back on?
Are you using PDM to backup the conifg or command line?
0
 

Author Comment

by:walcointl
ID: 33746604
Im using command line, nothing is missing, if i do a show run the configs look exactly the same.  I think I saw someone that the certificate doesnt move over on version 6.3...
0
 
LVL 16

Expert Comment

by:InteraX
ID: 33747145
What type of auth are you using for the IPSEC tunnel?

You may not be able to export the cert depending on how it was created. Can you post a sanitised copy of the ipsec config?
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 

Author Comment

by:walcointl
ID: 33747209
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer X.X.X.X
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key **** address X.X.X.X netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
0
 
LVL 19

Accepted Solution

by:
nodisco earned 500 total points
ID: 33748159
If you are using the exact same configuration and the psk is definitely correct, you should be fine.
You're not using certs to authenticate but if you have a local self-signed cert (ssh etc) you will need to regenerate this.

Another possibility is the arp-cache on your perimeter next hop be it a router/public switch.  If will have an old arp entry for the public ip of the old firewall and you have now replaced this ip with new hardware - you could clear the arp-cache or even reboot the next hop equipment.

Have you done any debugging?
Check if its failing at phase 1 or 2

Starting with the below will be helpful to see where its going astray

debug cry isakmp

hth
0
 

Author Comment

by:walcointl
ID: 33753465
Output of Debug, the 64.x.x.x address is the remote host im trying to reach.

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.
ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 3
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:64.X.X.X, dest:67.X.X.X spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 3103086274

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.
ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 3
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:64.X.X.X, dest:67.X.X.X spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 2950305706
0
 

Author Comment

by:walcointl
ID: 33753484
I got it, thanks nodisco
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VPN from within Azure 2 27
Draytek (Site to Site VPN using IPSec) 6 43
Help with a subnetting question 7 58
Deny permission ACL 16 26
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question