Re: pix 525 7.0 ipsec tunnels problem

dragec · ‎07-24-2005

I have problems with ipsec tunnels on pix 525 7.0. For some time everything is ok and then tunnels a messed up. when I go to monitor and then VPN and then look list of lan to lan tunnels, I can see that rx bytes is incrementing as remote location is sending data but tx is zero. Only firewall restart helps. Any ideas? I'v tried everything, changeing from dynamic map to static, I've tried with upgrades, now I am on 7.0(2). Here is the part of config, I am using 3600 sec timeouts on peer side

dragec · ‎07-24-2005

mybe I have a clue. On int where I receive VPN connections, ther is an access-list. I've permitted all traffic from ipsec peers. In case of problems, there is a message that UDP 500 from peer ip to pix int ip UDP 500 is denied. After restart and tunnels reestablishment, there is no such message. Looks like PIX access-list stops working!!!!

dragec · ‎07-25-2005

it happened again, look at this

Built inbound UDP connection 14580 for intf2_vip:x.x.250.13/500 (x.x.250.13/500) to inside:x.x.254.5/500 (x.x.254.5/500)

UDP access denied by ACL from x.x.250.13/500 to inside:x.x.254.5/500

firs message seems ok, but then it starts. Is it possible that I hit some kind og limit of UDP connections?

dragec · ‎07-26-2005

another thing I've noticed in logs is

%PIX-3-313001: Denied ICMP type=11, code=0 from x.x.x.6 on interface

inside

x.x.x.6 is router through wich ipsec peers are connected to fw