11-17-2009 04:11 AM - edited 03-11-2019 09:40 AM
PIX525, v7.2(4).
Another firewall sits inside the PIX525, then out to the internet. A L2L VPN through the PIX525 hangs every few days and is recovered by rebooting the PIX525. The end peers report "IKE Responder: Remote party timeout - Retransmitting IKE request" and "IKE negotiation aborted due to timeout", the PIX525 reports "%PIX-6-110003: Routing failed to locate next hop for UDP from inside:a.b.c.9/500 to inside:[remote_peer]/500".
Note the "inside:[remote_peer" - this peer is actually outside and PIX525 even has static host route for it:
route outside [remote_peer] 255.255.255.255 a.b.c.1 1
When this happens PIX525 can actualy ping remote_peer.
Sometimes this happens several times a day, sometimes it goes 5 days without issue.
11-17-2009 05:20 AM
Hi there,
Did you recently upgrade the OS on this PIX? You might try disabling the isakmp keepalive mechanism.
Under your tunnel-group w.x.y.x ipsec-attributes:
isakmp keepalive disable
Not sure if that will fix your issue, but it worked for me when I had a similar sounding issue after upgrading a PIX OS.
11-17-2009 06:31 AM
It has been upgraded recently, from 7.2(1), after i saw bug ID CSCsf04123.
I have added that to the DefaultRAGroup but i am a little dubious since this VPN goes through the PIX rather terminate on it.
It may be a few days before I know if it's helped.
Thanks for the reply.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide