Re: How does the VPN on PIX allocate Ip addresses from the pool?

rroe · ‎11-08-2004

I have an operational vpn with a small number of users And a small number of ip addresses - I am wondering if I have enough ip addresses in the pool. Sometimes (rarely) a user gets knocked out with an error of IP CONFLICT.

The question is - what does the pix do if it runs out of addresses in the pool ? Does it start over?

or does the user get an error that they cannot connect?

Anyone have any idea?

sachinraja · ‎11-08-2004

The PIX dynamically allocates IP addresses from the pool configured. Make sure this IP pool does not overlap with any other Ip address used in the LAN. If this IP pool is the same as in the DHCP in your local LAN, when the user connects via VPN, the local user might get knocked off from the network.

So its always advisible to have a unique IP pool, which does not overlap with the local LAN pool.

Incase, the pool that you have used in the PIX is full, the user will not get connected. The PIX will have an error on the debug as shown,

PIX-4-404101: ISAKMP: Failed to allocate address for client from pool poolname

You have to make sure you have enough IP addresses on the pool to accomodate the users. The users cannot connect in this case.

Hope this helps.

All the best !!

rroe · ‎11-09-2004

Thanks for your response - that is what I thought should happen - but have not seen the deny. There are no overlaps in the network addresses however since the network uses 192.168 and so does the remote linksys router - I changed the mask on the router to make them on different networks. Hopefully this intermittent problem will go away - wish I could change the linksys router to a 10. number.

sachinraja · ‎11-09-2004

Yes .. changing to a different number is the best thing to do.. make it 10.x.. make sure this network does not overlap with any other networks !!! please mark the query as a solved one, so that it will be helpful to others while searching. rate replies if found useful !!

All the best !!