PIX VPN to ASA failing after several hours following upgrade
I've got a PIX 515e firewall on a branch site running version 22.214.171.124(LD) connecting via a VPN to an ASA at the HQ with 7.2.5 code running. After several hours it is no longer possible to ping either the PIX or hosts behind it on the branch LAN though the tunnel still shows as being up. In order to bring the link back up the local PIX has to be rebooted.
The connection used to work with no problems when I was running PIX version 7.2.1 software but this had to be upgraded to 7.2.4 to support the new TCP normalization commands. VPN connections to other branch sites running PIX 7.2.1 remain active with no problems. The reason for the upgrade is to implement WAN acceleration between the sites however I still encounter this problem even when the WAN acceleration hosts are not installed.
In addition to the software upgrade I added the following configuration to both the ASA and the PIX:
tcp-options range 28 28 allow
tcp-options range 26 26 allow
set connection random-sequence-number disable
set connection advanced-options wanx_tcpmap
The ASA originally had this code but the PIX did not and the VPN was stable, after upgrading the PIX and adding the code the link was no longer stable.
Cisco Champion Radio · S7|E26 Simplify your Security with the new SecureX platform
Securing your organization is becoming increasingly complex. It may seem faster to tack on new point products to address the latest attack or protect yet another threat v...
Join us live on Tuesday, July 14 (and on demand after) to learn what impacts COVID-19 has had on the information security landscape from one of the people living that fight.
We'll take your questions live during the show and after, so post them belo...
TETRA Error Codes - Windows
Here are some common TETRA Error codes that you may find displayed in the dashboard as well as within the C:\Program Files\Cisco\AMP\<your_version>\sfc.exe.log or corresponding sfc.exe_<date>_<time>.logs. The...
Please note that the minimum cryptography settings in AnyConnect 4.9 have been increased. Please ensure that your head-end is properly configured for the more stringent cryptography settings (if applicable) or users will be unable to connect after updatin...