Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to delete a ISAKMP SA?

Status
Not open for further replies.
Oh

Oh

IS-IT--Management
Jun 24, 2002
92
JP
Hi
I config my PIX as HUB-SPOKEN mode. Sometimes one VPN peer in trouble and I delete the IPSEC SA at branch side and it will continue working. Sometimes I delete ISAKMP SA at branch side, but the HUB side there is still the ISAKMP SA about the peer. I can'T find the command about delete the ISAKMP SA by only one. the Command "clear isakmp sa" will delete all ISAKMP SA! So how can I delete only one ISAKMP SA in group og SAs?
And, when you finished configurations about the PIX, how to troubleshooting when the VPN tunnel was broken? Do you guys have something like howto or guide such things?

thanks

oh
 
Sort by date Sort by votes
HI.

It's not so easy to determine if the tunnel is broken.
When you have the problems, can the perimeter routers on each side ping each other? or can the pix boxes ping each other if you don't block ICMP?

You should also check the best MTU for hosts - especially servers on each side of the tunnel.

I had some problems with servers connecting over pix to pix VPN (both pix ver 6.1), and found that a better MTU will be 950 bytes. Found this using ping with different packet sizes.
I don't have scientific explanations for this but it seems to help once we changed the MTU on both sides of the tunnel.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Hi, yizhar:

Thanks for your help!

I want know what you do after one PC behind a PIX can't connect server behind the other peer side PIX? If the ISAKMP SA and the IPSEC are all ok, it is possiable caused by routers of the ISP?
And if you change the MTU to 950, does it effect the speed? I guess it will mkae the speed little slower.

Oh


 
Upvote 0 Downvote
HI.

Well, when you have such problems, you should follow your intuition and try to eliminate possible points in a logic way.
Here are some things that I can think of, but there is more to check:
Use ping between the pix boxes or the routers on both sides.
Check syslog messages.
Check the isakmp and ipsec timeouts on both sides.
For the MTU think, do the check when the tunnel is working fine, and simply ping with different packet sizes to find the best.
Using a small MTU might reduce performance of local LAN communication but this will probably not be noticeable, and if it fixes WAN communication then it should be done.

My KIT utility might help you troubleshooting this issue.
Install it on both sides of the tunnel and configure it to ping every X minutes, create a log file, and also send you emails.
This info may help you diagnose the problem, and maybe such periodic ping activity will keep the tunnel up.

Try also to search this forum and the VPN forum here in tek-tips, similar issues were discussed in other posts and you will probably find more info and tips.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
697
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
AnyConnect + Azure + SAML
Replies
0
Views
509
Sparrow4
Sparrow4
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
602
Johnkite
Johnkite
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
527
nnaarrnn
nnaarrnn
quar
  • Locked
  • Question
Moving a rule
Replies
2
Views
264
iggsterman
iggsterman

Part and Inventory Search

Sponsor

Back
Top