Wow, 3 responses so far!
on 2007-09-12 11:56 Christopher J. Wargaski said the following:
> I have seen this when there is a routing problem. Can the 515 ping the
> outside interface of the 501?


Yes, there is 100% reachability on both sides.

on 2007-09-12 23:08 Glenn Crissman said the following:
> First guess is check your NAT 0 access lists on both sides. If you don't
> have an acl entry there matching your interesting traffic acl for the
> 515 / 501 L2L VPN it won't attempt to come up. The PIX will NAT the
> traffic (or at least attempt to) before it hits the crypto engine.


I've cleared the nat 0 entries on both sides already...I'm reasonably
sure that's not it. We're not even seeing IPSec try to *start*, basically.

on 2007-09-12 16:38 Julian M. Dragut said the following:
> I've had the same issue with 515 and 2 X 505's running 6.4, and I had
> to remove the crypto map from the 515 before adding the second 505,
> and then re-apply it to the interface.
>
> It looks like the ACL and maps could get corrupted, therefore, before
> adding anything to the crypto map, I always make sure I unbind it,
> make the changes and then rebind it.


This seems like the most likely candidate. We'll have to find time to
bring down all the VPNs and try rebuilding from scratch.

//jbaltz
--
jerry b. altzman jbaltz@altzman.com www.jbaltz.com
thank you for contributing to the heat death of the universe.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards