HI,
I've got a PIX 515e firewall on a branch site running version 7.2.4.7(LD) connecting via a VPN to an ASA at the HQ with 7.2.5 code running. After several hours it is no longer possible to ping either the PIX or hosts behind it on the branch LAN though the tunnel still shows as being up. In order to bring the link back up the local PIX has to be rebooted.
The connection used to work with no problems when I was running PIX version 7.2.1 software but this had to be upgraded to 7.2.4 to support the new TCP normalization commands. VPN connections to other branch sites running PIX 7.2.1 remain active with no problems. The reason for the upgrade is to implement WAN acceleration between the sites however I still encounter this problem even when the WAN acceleration hosts are not installed.
In addition to the software upgrade I added the following configuration to both the ASA and the PIX:
tcp-map wanx_tcpmap
synack-data allow
invalid-ack allow
seq-past-window allow
tcp-options range 28 28 allow
tcp-options range 26 26 allow
no ttl-evasion-protection
urgent-flag allow
class-map wanx-class
match any
policy-map global_policy
class wanx-class
set connection random-sequence-number disable
set connection advanced-options wanx_tcpmap
The ASA originally had this code but the PIX did not and the VPN was stable, after upgrading the PIX and adding the code the link was no longer stable.
Has anyone encountered this type of issue before?
Thanks
Steve