?
Solved

Copy Config from PIX 515e to PIX 515e

Posted on 2010-09-23
7
Medium Priority
?
557 Views
Last Modified: 2012-05-10
I have a Cisco 515e PIX version 6.3(5) that has a Failover Only Licesnse.(So it reboots itself every 24 hours)... I need to transfer that Config to another PIX with a Unrestricted License same model and version.  I upload it to my TFTP server and pull it down to the PIx with the (UR) and everything looks and works fine except for one issue.  The PIX has a IPsec site to site VPN tunnel to a remote location that never connects back up.  How can I go about getting this done to get the PIX with the UR licesnse to have the exact same conifg as the PIX with the FO licesnse and not lose the IPsec tunnel settings? I think version 7 would allow this but how do I do it with version 6.3?

Thanks
0
Comment
Question by:walcointl
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 16

Expert Comment

by:InteraX
ID: 33745883
What's missing from the ipsec settinggs when you copy the config back on?
Are you using PDM to backup the conifg or command line?
0
 

Author Comment

by:walcointl
ID: 33746604
Im using command line, nothing is missing, if i do a show run the configs look exactly the same.  I think I saw someone that the certificate doesnt move over on version 6.3...
0
 
LVL 16

Expert Comment

by:InteraX
ID: 33747145
What type of auth are you using for the IPSEC tunnel?

You may not be able to export the cert depending on how it was created. Can you post a sanitised copy of the ipsec config?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:walcointl
ID: 33747209
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer X.X.X.X
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key **** address X.X.X.X netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
0
 
LVL 19

Accepted Solution

by:
nodisco earned 2000 total points
ID: 33748159
If you are using the exact same configuration and the psk is definitely correct, you should be fine.
You're not using certs to authenticate but if you have a local self-signed cert (ssh etc) you will need to regenerate this.

Another possibility is the arp-cache on your perimeter next hop be it a router/public switch.  If will have an old arp entry for the public ip of the old firewall and you have now replaced this ip with new hardware - you could clear the arp-cache or even reboot the next hop equipment.

Have you done any debugging?
Check if its failing at phase 1 or 2

Starting with the below will be helpful to see where its going astray

debug cry isakmp

hth
0
 

Author Comment

by:walcointl
ID: 33753465
Output of Debug, the 64.x.x.x address is the remote host im trying to reach.

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.
ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 3
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:64.X.X.X, dest:67.X.X.X spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 3103086274

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.
ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 3
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:64.X.X.X, dest:67.X.X.X spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 2950305706
0
 

Author Comment

by:walcointl
ID: 33753484
I got it, thanks nodisco
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question