Wow, 3 responses so far!
on 2007-09-12 11:56 Christopher J. Wargaski said the following:
> I have seen this when there is a routing problem. Can the 515 ping the
> outside interface of the 501?

Yes, there is 100% reachability on both sides.

on 2007-09-12 23:08 Glenn Crissman said the following:
> First guess is check your NAT 0 access lists on both sides. If you don't
> have an acl entry there matching your interesting traffic acl for the
> 515 / 501 L2L VPN it won't attempt to come up. The PIX will NAT the
> traffic (or at least attempt to) before it hits the crypto engine.

I've cleared the nat 0 entries on both sides already...I'm reasonably
sure that's not it. We're not even seeing IPSec try to *start*, basically.

on 2007-09-12 16:38 Julian M. Dragut said the following:
> I've had the same issue with 515 and 2 X 505's running 6.4, and I had
> to remove the crypto map from the 515 before adding the second 505,
> and then re-apply it to the interface.
> It looks like the ACL and maps could get corrupted, therefore, before
> adding anything to the crypto map, I always make sure I unbind it,
> make the changes and then rebind it.

This seems like the most likely candidate. We'll have to find time to
bring down all the VPNs and try rebuilding from scratch.

jerry b. altzman
thank you for contributing to the heat death of the universe.
firewall-wizards mailing list