[VPN] End-to-end IPSEC check

TSimons at Delphi-Tech.com TSimons at Delphi-Tech.com
Sun May 4 21:21:33 EDT 2003

I'm not sure if this affects Cisco to Cisco VPNs.  I know it greatly
affected Cisco to Symantec Enterprise Firewall VPNs on re-negotiation.  The
first IKE/IPSEC negotiation would go through fine.   ...subsequent
re-negotiations always failed.


As fantastic as Cisco's IOS is, it's not completely bug-free. And
unfortunately, these bugs often occur in the most complicated configurations
like IPsec implementations.  One particularly annoying issue that plagues
several versions happens when IOS attempts to set up an encrypted tunnel,
but the tunnel fails.  At some point, the information in the router's memory
doesn't get cleared when it should
and this prevents the success of future attempts.  This can drive
technicians crazy, because the configuration was working in the past, and
suddenly seems not to be working.

Read the entire tip here:

This is fixed in PIX IOS v6.3(1)

-----Original Message-----
From: Morillo, Carlos [mailto:Carlos.Morillo at CottonStates.com]
Sent: Saturday, May 03, 2003 11:15 AM
To: 'vpn at lists.shmoo.com'
Subject: [VPN] End-to-end IPSEC check

Are there any good tools that can help me check end-to-end IPSEC?  I ran a
Cisco VPN using 3000 concentrators at the corporate office and PIX501 at the
235 remote locations (over broadband, mostly DSL)

The problem I'm experiencing is definably related to network connectivity...
Everywhere there is a storm I loose a fairly large number of connections,
the concentrator can complete phase I but it never receives any phase II
data, so it keeps retrying..


Carlos Morillo
Atlanta, GA
VPN mailing list
VPN at lists.shmoo.com

More information about the VPN mailing list