PIX site-to-site VPN Connection Problem

PIX site-to-site VPN Connection Problem

Post by Lars Purschk » Wed, 08 Oct 2003 02:08:31



Hi!

We've two PIX 501 site-to-site connected via VPN. The remote Clients are
connecting to an AS/400 Server on the main site by telnet and by IBM
Access Clients.

Several times a week the VPN connection breaks down and I only get it
work again by rebooting both PIX. On both PIX the log-files says that
the VPN Connection is still established but there is no traffic passing
the tunnel any more. The internet access is working all the time.

We've already replaced the Devices but nothing has changed.

Are there any known Problems with IBM Access Clients and the PIX? Could
it be a timeout issue? Could it be a Problem with the 10-User licence on
the remote pix? Anyone seen anything like this before and have ideas of
how to fix it?

Thanks,
Lars

main site:

access-list vpnaccess permit ip 192.168.xxx.0 255.255.255.0
192.168.xxx.0 255.255.255.0
ip audit info action drop
ip audit attack action drop
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset0 esp-3des esp-md5-hmac
crypto dynamic-map myvpn0 1 set transform-set myset0
crypto map vpnmap 10 ipsec-isakmp dynamic myvpn0
crypto map vpnmap interface outside
isakmp enable outside
isakmp key ***** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 10000
timeout xlate 5:00:00
timeout conn 2:30:00 half-closed 0:10:00 udp 2:30:00 rpc 2:30:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

remote site:

access-list vpnaccess permit ip 192.168.xxx.0 255.255.255.0
192.168.xxx.0 255.255.255.0
ip audit info action drop
ip audit attack action drop
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset1 esp-3des esp-md5-hmac
crypto map vpnmap 10 ipsec-isakmp
crypto map vpnmap 10 match address vpnaccess
crypto map vpnmap 10 set peer xxx.xxx.xxx.xxx
crypto map vpnmap 10 set transform-set myset1
crypto map vpnmap interface outside
isakmp enable outside
isakmp key ***** address xxx.xxx.xxx.xxx netmask 255.255.255.255
no-xauth no-config-mode
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 10000
timeout xlate 5:00:00
timeout conn 2:30:00 half-closed 0:10:00 udp 2:30:00 rpc 2:30:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

 
 
 

PIX site-to-site VPN Connection Problem

Post by This Old Ma » Wed, 08 Oct 2003 03:02:03


We are doing the same and have no problems with green screen users. We had
one user complain when using the IBM CA's ODBC driver for a third party
Client-Server application  that he would be disconnected if he left his desk
for an hour or so, so I changed the timeout conn to 9 hours and it's working
great now.

timeout conn 9:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00


Quote:> Hi!

> We've two PIX 501 site-to-site connected via VPN. The remote Clients are
> connecting to an AS/400 Server on the main site by telnet and by IBM
> Access Clients.

> Several times a week the VPN connection breaks down and I only get it
> work again by rebooting both PIX. On both PIX the log-files says that
> the VPN Connection is still established but there is no traffic passing
> the tunnel any more. The internet access is working all the time.

> We've already replaced the Devices but nothing has changed.

> Are there any known Problems with IBM Access Clients and the PIX? Could
> it be a timeout issue? Could it be a Problem with the 10-User licence on
> the remote pix? Anyone seen anything like this before and have ideas of
> how to fix it?

> Thanks,
> Lars

> main site:

> access-list vpnaccess permit ip 192.168.xxx.0 255.255.255.0
> 192.168.xxx.0 255.255.255.0
> ip audit info action drop
> ip audit attack action drop
> sysopt connection permit-ipsec
> no sysopt route dnat
> crypto ipsec transform-set myset0 esp-3des esp-md5-hmac
> crypto dynamic-map myvpn0 1 set transform-set myset0
> crypto map vpnmap 10 ipsec-isakmp dynamic myvpn0
> crypto map vpnmap interface outside
> isakmp enable outside
> isakmp key ***** address 0.0.0.0 netmask 0.0.0.0
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption 3des
> isakmp policy 10 hash md5
> isakmp policy 10 group 2
> isakmp policy 10 lifetime 10000
> timeout xlate 5:00:00
> timeout conn 2:30:00 half-closed 0:10:00 udp 2:30:00 rpc 2:30:00 h323
> 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute

> remote site:

> access-list vpnaccess permit ip 192.168.xxx.0 255.255.255.0
> 192.168.xxx.0 255.255.255.0
> ip audit info action drop
> ip audit attack action drop
> sysopt connection permit-ipsec
> no sysopt route dnat
> crypto ipsec transform-set myset1 esp-3des esp-md5-hmac
> crypto map vpnmap 10 ipsec-isakmp
> crypto map vpnmap 10 match address vpnaccess
> crypto map vpnmap 10 set peer xxx.xxx.xxx.xxx
> crypto map vpnmap 10 set transform-set myset1
> crypto map vpnmap interface outside
> isakmp enable outside
> isakmp key ***** address xxx.xxx.xxx.xxx netmask 255.255.255.255
> no-xauth no-config-mode
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption 3des
> isakmp policy 10 hash md5
> isakmp policy 10 group 2
> isakmp policy 10 lifetime 10000
> timeout xlate 5:00:00
> timeout conn 2:30:00 half-closed 0:10:00 udp 2:30:00 rpc 2:30:00 h323
> 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute


 
 
 

PIX site-to-site VPN Connection Problem

Post by This Old Ma » Wed, 08 Oct 2003 03:07:13


Did you try adding the initiate and respond commands, such as:

crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond


Quote:> Hi!

> We've two PIX 501 site-to-site connected via VPN. The remote Clients are
> connecting to an AS/400 Server on the main site by telnet and by IBM
> Access Clients.

> Several times a week the VPN connection breaks down and I only get it
> work again by rebooting both PIX. On both PIX the log-files says that
> the VPN Connection is still established but there is no traffic passing
> the tunnel any more. The internet access is working all the time.

> We've already replaced the Devices but nothing has changed.

> Are there any known Problems with IBM Access Clients and the PIX? Could
> it be a timeout issue? Could it be a Problem with the 10-User licence on
> the remote pix? Anyone seen anything like this before and have ideas of
> how to fix it?

> Thanks,
> Lars

> main site:

> access-list vpnaccess permit ip 192.168.xxx.0 255.255.255.0
> 192.168.xxx.0 255.255.255.0
> ip audit info action drop
> ip audit attack action drop
> sysopt connection permit-ipsec
> no sysopt route dnat
> crypto ipsec transform-set myset0 esp-3des esp-md5-hmac
> crypto dynamic-map myvpn0 1 set transform-set myset0
> crypto map vpnmap 10 ipsec-isakmp dynamic myvpn0
> crypto map vpnmap interface outside
> isakmp enable outside
> isakmp key ***** address 0.0.0.0 netmask 0.0.0.0
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption 3des
> isakmp policy 10 hash md5
> isakmp policy 10 group 2
> isakmp policy 10 lifetime 10000
> timeout xlate 5:00:00
> timeout conn 2:30:00 half-closed 0:10:00 udp 2:30:00 rpc 2:30:00 h323
> 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute

> remote site:

> access-list vpnaccess permit ip 192.168.xxx.0 255.255.255.0
> 192.168.xxx.0 255.255.255.0
> ip audit info action drop
> ip audit attack action drop
> sysopt connection permit-ipsec
> no sysopt route dnat
> crypto ipsec transform-set myset1 esp-3des esp-md5-hmac
> crypto map vpnmap 10 ipsec-isakmp
> crypto map vpnmap 10 match address vpnaccess
> crypto map vpnmap 10 set peer xxx.xxx.xxx.xxx
> crypto map vpnmap 10 set transform-set myset1
> crypto map vpnmap interface outside
> isakmp enable outside
> isakmp key ***** address xxx.xxx.xxx.xxx netmask 255.255.255.255
> no-xauth no-config-mode
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption 3des
> isakmp policy 10 hash md5
> isakmp policy 10 group 2
> isakmp policy 10 lifetime 10000
> timeout xlate 5:00:00
> timeout conn 2:30:00 half-closed 0:10:00 udp 2:30:00 rpc 2:30:00 h323
> 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute

 
 
 

PIX site-to-site VPN Connection Problem

Post by Walter Robers » Wed, 08 Oct 2003 13:07:33




:We've two PIX 501 site-to-site connected via VPN.

:Several times a week the VPN connection breaks down and I only get it
:work again by rebooting both PIX.

:We've already replaced the Devices but nothing has changed.

The power connectors on the 501 are not very secure, and if they
pull out a little then the PIX 501 will stop processing outside
packets but might still respond to the console. It is best to
firmly secure the power connectors on all PIX 501.
--
"Meme" is self-referential; memes exist if and only if the "meme" meme
exists. "Meme" is thus logically a meta-meme; but until the existance
of meta-memes is more widely recognized, "meta-meme" is not a meme.
   -- A Child's Garden Of Memes

 
 
 

PIX site-to-site VPN Connection Problem

Post by Lars Purschk » Wed, 08 Oct 2003 13:57:08


I've alread done this. The Internet Connection is working all the time.



> :We've two PIX 501 site-to-site connected via VPN.

> :Several times a week the VPN connection breaks down and I only get it
> :work again by rebooting both PIX.

> :We've already replaced the Devices but nothing has changed.

> The power connectors on the 501 are not very secure, and if they
> pull out a little then the PIX 501 will stop processing outside
> packets but might still respond to the console. It is best to
> firmly secure the power connectors on all PIX 501.

 
 
 

PIX site-to-site VPN Connection Problem

Post by Lars Purschk » Tue, 14 Oct 2003 01:10:19


I've tried to set these commands on the main site. Work's fine yet. Do I
have to set these commands on the remote pix also?

What does these commands do? I've searched the command reference, but I
do not unterstand the meaning quit well.

Thanks,
Lars


> Did you try adding the initiate and respond commands, such as:

> crypto map mymap client configuration address initiate
> crypto map mymap client configuration address respond



>>Hi!

>>We've two PIX 501 site-to-site connected via VPN. The remote Clients are
>>connecting to an AS/400 Server on the main site by telnet and by IBM
>>Access Clients.

>>Several times a week the VPN connection breaks down and I only get it
>>work again by rebooting both PIX. On both PIX the log-files says that
>>the VPN Connection is still established but there is no traffic passing
>>the tunnel any more. The internet access is working all the time.

>>We've already replaced the Devices but nothing has changed.

>>Are there any known Problems with IBM Access Clients and the PIX? Could
>>it be a timeout issue? Could it be a Problem with the 10-User licence on
>>the remote pix? Anyone seen anything like this before and have ideas of
>>how to fix it?

>>Thanks,
>>Lars

>>main site:

>>access-list vpnaccess permit ip 192.168.xxx.0 255.255.255.0
>>192.168.xxx.0 255.255.255.0
>>ip audit info action drop
>>ip audit attack action drop
>>sysopt connection permit-ipsec
>>no sysopt route dnat
>>crypto ipsec transform-set myset0 esp-3des esp-md5-hmac
>>crypto dynamic-map myvpn0 1 set transform-set myset0
>>crypto map vpnmap 10 ipsec-isakmp dynamic myvpn0
>>crypto map vpnmap interface outside
>>isakmp enable outside
>>isakmp key ***** address 0.0.0.0 netmask 0.0.0.0
>>isakmp policy 10 authentication pre-share
>>isakmp policy 10 encryption 3des
>>isakmp policy 10 hash md5
>>isakmp policy 10 group 2
>>isakmp policy 10 lifetime 10000
>>timeout xlate 5:00:00
>>timeout conn 2:30:00 half-closed 0:10:00 udp 2:30:00 rpc 2:30:00 h323
>>0:05:00 sip 0:30:00 sip_media 0:02:00
>>timeout uauth 0:05:00 absolute

>>remote site:

>>access-list vpnaccess permit ip 192.168.xxx.0 255.255.255.0
>>192.168.xxx.0 255.255.255.0
>>ip audit info action drop
>>ip audit attack action drop
>>sysopt connection permit-ipsec
>>no sysopt route dnat
>>crypto ipsec transform-set myset1 esp-3des esp-md5-hmac
>>crypto map vpnmap 10 ipsec-isakmp
>>crypto map vpnmap 10 match address vpnaccess
>>crypto map vpnmap 10 set peer xxx.xxx.xxx.xxx
>>crypto map vpnmap 10 set transform-set myset1
>>crypto map vpnmap interface outside
>>isakmp enable outside
>>isakmp key ***** address xxx.xxx.xxx.xxx netmask 255.255.255.255
>>no-xauth no-config-mode
>>isakmp policy 10 authentication pre-share
>>isakmp policy 10 encryption 3des
>>isakmp policy 10 hash md5
>>isakmp policy 10 group 2
>>isakmp policy 10 lifetime 10000
>>timeout xlate 5:00:00
>>timeout conn 2:30:00 half-closed 0:10:00 udp 2:30:00 rpc 2:30:00 h323
>>0:05:00 sip 0:30:00 sip_media 0:02:00
>>timeout uauth 0:05:00 absolute

 
 
 

1. PIX VPN site-to-site problems

Hi,

Can the same outside interface be used for normal internet traffic as well as
IPSEC termination.  simplistic example being (along with the normal config):

nat (inside) 0 access-list blah [allowing normal internet non-nat'd traffic]
nat (inside) 1 x.x.x.x 255.255.255.0
access-list blah ip any any (for example)
access-group allow in interface outside

access-list 100 permit ip x.x.x.0 255.255.255.0 y.y.y.0 255.255.255.0
crypto map <map name> <seq no> match address 100

[x.x.x.0 being corporate network, y.y.y.0 being client network, and internet
somewhere in between]

Or as well as using access-list 100 to define what's interesting to IPSEC, do
you replicate its statment into access-list 'blah'?

ie, One to allow it to be non-nat'd, and one (in the VPN match address) to pick
IPSEC traffic up as interesting.

Ta for your help all & hope my explanation is a little clearer than mud!

2. Considering SMS - advice sought

3. site-to-site VPN router to PIX VPN

4. help!!!! Cable modem and Wingate3

5. PIX - Site-to-Site VPN and VPN Client access

6. ASP:Checkbox selection issue.

7. Weired problem with site-to-site vpn: only one side of the vpn works !?

8. How to connect MS-RAS client to a 2509 ?

9. PIX 501 VPN servers and VPN site to site - possible?

10. Pix 506E IPsec site to site VPN Problem

11. PIX VPN Problem (EZvpn and Site-2-Site in parallel)

12. PIX 7.x VPN Client and site to site VPN's

13. Pix 506 & 501 site-to-site VPN question.