R: [c-nsp] lan-to-lan pix-vpn3k unidirectional problem
Andrew Yourtchenko
ayourtch at cisco.com
Fri Nov 25 17:08:32 EST 2005
> you add a new crypto map entry, you ALWAYS have to de-apply and re-apply
> it for it to work correctly. I've even run into a lot of instances
> where changing the crypto map without de-applying it kills the pix and
> it needs to be physically powered off and on (management is dead). I
> generally use notepad and setup something like this.
In the early versions the being newly added crypto map entry would mean
"encrypt everything". And since the set peer statement was absent, and
transform set was absent - this would indeed nuke your SSH session from
outside - it would try to encrypt it, but there were no rules.
It's been quite a while since you should no longer need to remove the
crypto map off the interface before changing it - any entries that are
incomplete, are inactive until their configuration is finished, so it
should work. (CSCea89724 is a reference WRT when this was done -
6.2.3/6.3.2 and later should work as I have described)
Indeed removing/reapplying the crypto map as you mentioned works as well.
If while changing the crypto map your _serial_ console went dead - then it
would be a separate story with some different reason - which I can not
think of - never seen this happening.
thanks,
andrew
More information about the cisco-nsp
mailing list