cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
417
Views
0
Helpful
1
Replies
Highlighted
Beginner

PIX VPN to ASA failing after several hours following upgrade

HI,

I've got a PIX 515e firewall on a branch site running version 7.2.4.7(LD) connecting via a VPN to an ASA at the HQ with 7.2.5 code running. After several hours it is no longer possible to ping either the PIX or hosts behind it on the branch LAN though the tunnel still shows as being up.  In order to bring the link back up the local PIX has to be rebooted.

The connection used to work with no problems when I was running PIX version 7.2.1 software but this had to be upgraded to 7.2.4 to support the new TCP normalization commands. VPN connections to other branch sites running PIX 7.2.1 remain active with no problems. The reason for the upgrade is to implement WAN acceleration between the sites however I still encounter this problem even when the WAN acceleration hosts are not installed.


In addition to the software upgrade I added the following configuration to both the ASA and the PIX:

tcp-map wanx_tcpmap

synack-data allow

invalid-ack allow

seq-past-window allow

tcp-options range 28 28 allow

tcp-options range 26 26 allow

no ttl-evasion-protection

urgent-flag allow

class-map wanx-class

match any

policy-map global_policy

class wanx-class

set connection random-sequence-number disable

set connection advanced-options wanx_tcpmap

The ASA originally had this code but the PIX did not and the VPN was stable, after upgrading the PIX and adding the code the link was no longer stable.

Has anyone encountered this type of issue before?

Thanks
Steve

Everyone's tags (5)
1 REPLY 1
Highlighted
Rising star

Re: PIX VPN to ASA failing after several hours following upgrade

I would suggest you to have someone at remote office to console into the problem PIX and check its memory and CPU utilization?

After your reload the PIX, capture the a memory and cpu status? When the issue happens, capture it again.