Re: Cisco PIX 501 does not develop VPN after DSL disconnetion an

LudwigForster · ‎01-07-2006

Hello,

We have the problem that our Cisco PIX 501 6.3(4) does not develop the VPN tunnel any longer, after the Provider disconnect the DSL line after 24 hours and rebuild it. Afterwards the tunnel seems to stand however it gives no more connections. Only after restart of the PIX or pulling and putting the cable of VPN the tunnel rebuilds. Otherwise everything runs perfectly.

The PIX develops a connection to a Cisco Concentrator 3002.

Here is our configuration:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

interface eth0 auto

enable password XXXXX

passwd XXXXX

hostname PIX4322

domain-name network.net

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 10.50.16.41 255.255.255.248

ip audit info action alarm

ip audit attack action alarm

pdm location 10.50.0.0 255.255.0.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

route outside 10.50.0.0 255.255.0.0 X.X.X.X 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

management-access inside

telnet 10.50.0.0 255.255.0.0 inside

floodguard enable

telnet timeout 5

ssh timeout 5

dhcpd address 10.50.16.42-10.50.16.46 inside

dhcpd dns 10.50.20.102 10.50.20.103

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain network.net

dhcpd auto_config outside

dhcpd enable inside

vpnclient vpngroup VPNLAN password xxxxxxxxxxxxxxxx

vpnclient username PIX999 password xxxxxxxxxxxxxxxxxx

vpnclient server X.X.X.X

vpnclient mode network-extension-mode

vpnclient enable

Does anyone have a idea? Thank you.

Regards

Ludwig

aacole · ‎01-09-2006

Ludwig,

This problem is most likly due to to the IPSec tunnel remaing active as there are no keepalives being sent. So the link fails but each VPN device is unaware of the failure.

There is a command `isakmp keepalive' which enables this feature in client and L2L vpn's.

I'm not sure if this will work with the PIX when configured for ezvpn, but its worth a try.

If not then there are options on the concentrator to enable this feature, it may solve your problem here.

Andy

LudwigForster · ‎01-15-2006

Hello Andy,

thank you for your information. Apparently works the function "isakmp alive" with Easy VPN, but it did not solve my problem. The VPN tunnel is nevertheless not upright. I just add the line "isakmp alive 30". Or was this not enough?

Do you have one tap, which options I could enable on my concentrator to fix it?

Thanks in advance.

Ludwig

jackko · ‎01-16-2006

verify whether the concentrator still maintain an active session for this particular pix. go monitoring | sessions.

further, to configure isakmp keepalive on the concentrator, go configuration | user management | groups | ipsec, the third options.

Cisco PIX 501 does not develop VPN after DSL disconnetion and rebuilding