some people playing dart with a picture of their boss. i have have a poster of contivity...
"Noonan, Wesley" wrote: > The PIX is bringing up tons (more specifically hundreds) of tunnels and > according to my IS guys reporting something like 180 networks behind the VPN > (I have but one, and am doing no routing what-so-ever). I have been thus far > unable to get them to clarify exactly what that (reporting 180 networks...) > means. i don't understand your problem. normally you must configure at both sides acls with networks, transmitting through the tunnel. ok, at nortel it's a little bit different from acl of pix, but it works for me. > My biggest wonderment though is why the PIX is bringing up multiple tunnels. > The IS folks are saying that it appears to them that the PIX takes the > tunnel down, but the Contivity doesn't know about it, leaving the Contivity > with what they call "ghost tunnels". When the PIX needs to connect again, a > new tunnel is brought up. I am told that the Contivity is "several revisions > back coded", but an upgrade has been applied and it is just a matter of > change control to actually cut over to the new code (hence why no one has > called Nortel yet, as they are likely going to say upgrade the code). i often see at contivity multiple sa for the same tunnel too, but never on pix. it really looks like, the sa is timed out, but not deleted. normally the shortest lifetime of the peers will be taken. did you test it with a shorter lifetime on contivity than on pix? regards dirk -- energis-ISION Dirk Pfau IP Network / iSecurity Harburger Schlossstr. 1 D-21079 Hamburg Fon: +49 40 77175-538 eMail: [EMAIL PROTECTED] Web: http://www.energis-ision.com _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
