Solved

Copy Config from PIX 515e to PIX 515e

Posted on 2010-09-23
7
547 Views
Last Modified: 2012-05-10
I have a Cisco 515e PIX version 6.3(5) that has a Failover Only Licesnse.(So it reboots itself every 24 hours)... I need to transfer that Config to another PIX with a Unrestricted License same model and version.  I upload it to my TFTP server and pull it down to the PIx with the (UR) and everything looks and works fine except for one issue.  The PIX has a IPsec site to site VPN tunnel to a remote location that never connects back up.  How can I go about getting this done to get the PIX with the UR licesnse to have the exact same conifg as the PIX with the FO licesnse and not lose the IPsec tunnel settings? I think version 7 would allow this but how do I do it with version 6.3?

Thanks
0
Comment
Question by:walcointl
  • 4
  • 2
7 Comments
 
LVL 16

Expert Comment

by:InteraX
ID: 33745883
What's missing from the ipsec settinggs when you copy the config back on?
Are you using PDM to backup the conifg or command line?
0
 

Author Comment

by:walcointl
ID: 33746604
Im using command line, nothing is missing, if i do a show run the configs look exactly the same.  I think I saw someone that the certificate doesnt move over on version 6.3...
0
 
LVL 16

Expert Comment

by:InteraX
ID: 33747145
What type of auth are you using for the IPSEC tunnel?

You may not be able to export the cert depending on how it was created. Can you post a sanitised copy of the ipsec config?
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:walcointl
ID: 33747209
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer X.X.X.X
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key **** address X.X.X.X netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
0
 
LVL 19

Accepted Solution

by:
nodisco earned 500 total points
ID: 33748159
If you are using the exact same configuration and the psk is definitely correct, you should be fine.
You're not using certs to authenticate but if you have a local self-signed cert (ssh etc) you will need to regenerate this.

Another possibility is the arp-cache on your perimeter next hop be it a router/public switch.  If will have an old arp entry for the public ip of the old firewall and you have now replaced this ip with new hardware - you could clear the arp-cache or even reboot the next hop equipment.

Have you done any debugging?
Check if its failing at phase 1 or 2

Starting with the below will be helpful to see where its going astray

debug cry isakmp

hth
0
 

Author Comment

by:walcointl
ID: 33753465
Output of Debug, the 64.x.x.x address is the remote host im trying to reach.

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.
ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 3
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:64.X.X.X, dest:67.X.X.X spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 3103086274

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.
ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 3
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:64.X.X.X, dest:67.X.X.X spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 2950305706
0
 

Author Comment

by:walcointl
ID: 33753484
I got it, thanks nodisco
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now