HI,

I've got a PIX 515e firewall on a branch site running version 7.2.4.7(LD) connecting via a VPN to an ASA at the HQ with 7.2.5 code running. After several hours it is no longer possible to ping either the PIX or hosts behind it on the branch LAN though the tunnel still shows as being up.  In order to bring the link back up the local PIX has to be rebooted.

The connection used to work with no problems when I was running PIX version 7.2.1 software but this had to be upgraded to 7.2.4 to support the new TCP normalization commands. VPN connections to other branch sites running PIX 7.2.1 remain active with no problems. The reason for the upgrade is to implement WAN acceleration between the sites however I still encounter this problem even when the WAN acceleration hosts are not installed.

In addition to the software upgrade I added the following configuration to both the ASA and the PIX:

tcp-map wanx_tcpmap

synack-data allow

invalid-ack allow

seq-past-window allow

tcp-options range 28 28 allow

tcp-options range 26 26 allow

no ttl-evasion-protection

urgent-flag allow

class-map wanx-class

match any

policy-map global_policy

class wanx-class

set connection random-sequence-number disable

set connection advanced-options wanx_tcpmap

The ASA originally had this code but the PIX did not and the VPN was stable, after upgrading the PIX and adding the code the link was no longer stable.

Has anyone encountered this type of issue before?

Thanks
Steve