Solved

Copy Config from PIX 515e to PIX 515e

Posted on 2010-09-23
7
554 Views
Last Modified: 2012-05-10
I have a Cisco 515e PIX version 6.3(5) that has a Failover Only Licesnse.(So it reboots itself every 24 hours)... I need to transfer that Config to another PIX with a Unrestricted License same model and version.  I upload it to my TFTP server and pull it down to the PIx with the (UR) and everything looks and works fine except for one issue.  The PIX has a IPsec site to site VPN tunnel to a remote location that never connects back up.  How can I go about getting this done to get the PIX with the UR licesnse to have the exact same conifg as the PIX with the FO licesnse and not lose the IPsec tunnel settings? I think version 7 would allow this but how do I do it with version 6.3?

Thanks
0
Comment
Question by:walcointl
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 16

Expert Comment

by:InteraX
ID: 33745883
What's missing from the ipsec settinggs when you copy the config back on?
Are you using PDM to backup the conifg or command line?
0
 

Author Comment

by:walcointl
ID: 33746604
Im using command line, nothing is missing, if i do a show run the configs look exactly the same.  I think I saw someone that the certificate doesnt move over on version 6.3...
0
 
LVL 16

Expert Comment

by:InteraX
ID: 33747145
What type of auth are you using for the IPSEC tunnel?

You may not be able to export the cert depending on how it was created. Can you post a sanitised copy of the ipsec config?
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 

Author Comment

by:walcointl
ID: 33747209
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer X.X.X.X
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key **** address X.X.X.X netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
0
 
LVL 19

Accepted Solution

by:
nodisco earned 500 total points
ID: 33748159
If you are using the exact same configuration and the psk is definitely correct, you should be fine.
You're not using certs to authenticate but if you have a local self-signed cert (ssh etc) you will need to regenerate this.

Another possibility is the arp-cache on your perimeter next hop be it a router/public switch.  If will have an old arp entry for the public ip of the old firewall and you have now replaced this ip with new hardware - you could clear the arp-cache or even reboot the next hop equipment.

Have you done any debugging?
Check if its failing at phase 1 or 2

Starting with the below will be helpful to see where its going astray

debug cry isakmp

hth
0
 

Author Comment

by:walcointl
ID: 33753465
Output of Debug, the 64.x.x.x address is the remote host im trying to reach.

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.
ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 3
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:64.X.X.X, dest:67.X.X.X spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 3103086274

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.
ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 3
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:64.X.X.X, dest:67.X.X.X spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 2950305706
0
 

Author Comment

by:walcointl
ID: 33753484
I got it, thanks nodisco
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question