Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
563
Views
0
Helpful
4
Replies

VPN with Pix in vpnclient mode and VPN Concentrator

marco
Level 1
Level 1

‎07-14-2004 07:10 AM

Hello,

We've two sites.

In the first site there is a VPN Concentrator 3000, with a public address and all (relevant) ports opened.

In the second site there is an ISDN connection with an ISP that configured the router.

Behind this router there is a Pix 501.

No ports are opened or mapped on the front router.

So we have decided to make a VPN connection using the vpnclient functionality of the Pix.

We also opened the UDP port 4500 on the VPNCONC in order to make a NAT-T connection.

The pix configuration is this:

---------------------------------

vpnclient server xxx.xxx.xxx.xxx

vpnclient mode network-extension-mode

vpnclient vpngroup lan2lan password ********

vpnclient username lan2lanuser password ********

---------------------------------

On the VPN concentrator we enabled the "Allow Network Extension Mode" on the lan2lan group.

We also enabled the split-tunnel on this group.

The VPN connection runs well: the tunnel is established and all seems to be ok.

But there is a strange behaviour: when the vpn tunnel is UP ("vpnclient enable" command), if a user behind the network protected by the pix tries to make a long connection (for example an FTP download), after few seconds (about 10 or less) the connection freezes.

If I issue the show xlate command, infact, the translations of this connection dissapear.

This problem doesn't appear with quick connections (eg. http request, brief pop/smtp sessions etc..).

If I disable the VPN tunnel issuing the "no vpnclient enable" there are no problems on ftp connections too.

Any ideas?

Thanks a lot.

Labels:
0 Helpful
4 Replies 4

a-vazquez
Level 6
Level 6

‎07-20-2004 02:05 PM

Do you get any error message when the connection is being dropped?

0 Helpful

marco
Level 1
Level 1
In response to a-vazquez

‎07-21-2004 01:19 AM

I must try to increase the debug level, but a first sight it seems there are no errors.

Thanks.

0 Helpful

d-garnett
Level 3
Level 3

‎07-25-2004 11:40 PM

this may be a "shot in the dark" but I'd look into fragmentation issues, mtu issues, and/or ethernet collisions (and CRC errors).

i'd run a sniffer and see how many packet RE-transmissions (if any) are occuring during a heavy file transfer.

0 Helpful

marco
Level 1
Level 1
In response to d-garnett

‎07-26-2004 12:23 AM

Updates:

Attached here, a debug I've made this morning.

The customer tried to download the file "test.zip" via FTP session from

the external server 130.82.27.195.

The external server is reachable not via the VPN tunnel.

The customer did the tests from the machine 10.0.1.137 (inside the lan)

The ip class 172.26.1.0/24 is between the PIX and the router.

As you can see, after few seconds the customers initiate the FTP session, the VPN

tunnel is dropped without reason.

Moreover, the dynamic TCP translations of the FTP sessions are dropped and the following

TCP request are dropped.

Preview file
7 KB
0 Helpful
Customers Also Viewed These Support Documents