07-18-2006 03:37 AM
HI Guys,
I am configuring site-to-site VPN tunnel
between the pix firewall 506 & VPN Concentrator 3015 (lan-to-lan). The pix is kept behind the DSL modem/Router.The DSL modem is only having public IP
We Dont have any IP we have open the ports UDP -500
UDP - 4500
TCP -10000
ESP protocol 50
Here the beauty is tunnel is established i am able to ping the host behind the pix firewall from VPN Concentrator . but from the PIX network we cant
IN Firewall i am getting
QM-IDLE state
in the COncentrator i am able to see the session and it is transmitting and receiving bytes
The session is up for 30 mins after its got disconnected
I have done everyting but no data traffic from the pix firewall
-----------
I think for lan-to-lan tunnel I have to assign a Dedicate Public ip for the pix outside interface ??
or it is possible to establish a vpn tunnel without any public ip.....
---------
Router is not doing any Natting
But pix outside interface on private ip
Concentrators outside is on public ip
Thanks
Krish
07-18-2006 11:00 AM
Hi Krish,
If your tunnel is on the internet, yes both peer must have a public ip (pix outside interface included)
Mike
07-18-2006 07:32 PM
hi Mike,
I accept with you but i am able to ping the PC behind
the pix from the VPN Concentrator
From the PC which kept behind the pix firewall
i am able to ping the Concentrators Internal Interface
In Concentrator session status it showing the tunnel is up and it sending and receiving bytes
07-19-2006 05:13 AM
mmmmh! interesting...
Could you post your pix config (removing sensitive information). Also a diagram would help my comprehension.
Is it possible there is an over-lapping subnet behind both peers?
Mike
07-20-2006 06:52 AM
Hi Mike,
Thankyou for your reply now the tunnel seems to be
working but it was getting disconnected every 30 min
then i have rebooted the pix it start works This same thing happen for 4 times
after i have enabled 'isakmp keepalive 10 2' Then it
starts working but inbetween its getting disconnected
but witin a 3to4 sec the tunnel is up (but this time the tunnel disconnected after 90min if there is no data traffic after when i start pinging its got up)
VPNBOX<------------>Router<----------->Pix<->LocalN/W
PubIP PubIP Private Private Private
IP IP IP
This is the Scenario I have As i told you the Router
is a DSLModem/Router/Firewall it is a Billion one
The Router is Forwading Traffic .
For Terminating Tunnel I have given the public IP of
Router in the VPN box
My problem is i want to make the tunnel up always
any idea?
07-20-2006 07:04 AM
Mike No ovelapping subnets
I have changed the ip address
and one more information now i noticed that in the concentrator session status i shows the tunnel was disconnected for a moment (after 1 hour,at the same
i had a remote Desktop session with the pc behind the pix firewall the session is fine!!!!)
I am sitting behind the Concentrator!!!
07-20-2006 10:49 AM
Hi Krish, hope you are doing well.
As you've explained, thing are going slight better, right?.
What do yo get on the pix when you do a "show isakmp sa" and a "show ipsec sa" ?
07-20-2006 10:51 PM
hi Mike,
Now the status is improved Now the tunnel is up for the last 14hrs
in sh isakmp sa
i am getting QM_IDLE
in sh ipsec sa
no errors its encrypting and Decrypting
and one more question
do i need to increase the threshold value
isakmp keepalive command??
because i have mentioned
isakmp keepalive 10 2
so this command allow the tunnel to become idle for
maximum of 10sec
so i think i have to increase this value to 3600sec
any idea
the firmware is 6.3(1)!!! is there any problem with this version ?
mike thankyou verymuch for your help
thanks
Krishna
07-21-2006 05:42 AM
Hi Krish, I've seen you have made some fine-tuning to improve tunnel scalability..
isakmp keepalive 10 2 just send pulse to the remote peer every 10 seconds w/a retry interval of 2 secs.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312
You may adjust these values to a max of 3600/10. Since the parameters 10/2 seem to be working fine I'd personnaly avoid changing this. It's up to you.
Personnaly I'd go with the latest a firmware available on cisco.com. 635 has been available for a while and has a much more stable code than an earlier release such as 631. But this might not be your case.
BTW 631 code is no more available on cisco.com. Experience has told me to avoid all released code ending with x.x(1)
Cisco has made a great amount of improvement with 7.x versions. Features from VPN-3000 code have been added to PIX 7.x code. This might also be an good option to an upgrade, and also check for compatibility w/ your present pix.
Mike
07-22-2006 12:29 AM
Hi Mike,
Once again thankyou verymuch for your reply
actually i am configuring pix from the remote end
we are configuring the pix for very less no of people
like 2 -3 .after i spoke to the user i found that he was disconnecting his PC from the pix by removing the cable then the pix got hung .once he reboot the pix it starts working fine .it seems like a bug in
6.3.1
---------------------------
recently we got a message from the user that the tunnel is up .but he was not able to connect any high end applications.mike any idea.....
my pix is 506 .so i can go upto 6.3.5...??
can you send me details like how to upgrade the firmware in pix?? (how to take the backup of Configuration file)
Thanks
Krish
07-24-2006 05:13 AM
Hello Krish,
For the user who is able to connect but cannot get into the network, are you able to enable this function: isakmp nat-traversal 20
In order, to perform an upgrade everything is explaned under these URL's:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/overvw.htm#wp1052724
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/upgrade.htm#
HTH
Mike
07-24-2006 08:39 AM
Hi mike,
now some new problems arises the user can access all the network but he cant access any one network
which is mentioned in intresting traffic
so i rebooted the pix and everything is ok for 15 min
after the same problem happening
today i have upgraded to 6.3.5 no improvement
my pix is 506
with restricted license
ex:
if the intresting traffic is like
access-list 100 permit ip 10.1.1.0 255.255.255.0 11.1.1.0 255.255.255.0
access-list 100 permit ip 10.1.1.0 255.255.255.0
12.1.1.0 255.255.255.0
access-list 100 permit ip 10.1.1.0 255.255.255.0 13.1.1.0 255.255.255.0
access-list 100 permit ip 10.1.1.0 255.255.255.0
14.1.1.0 255.255.255.0
access-list 100 permit ip 10.1.1.0 255.255.255.0 15.1.1.0 255.255.255.0
the user have access to 5 diff n/w
but he can access all networks at initially (once the pix is rebooted)
but after 15 min he cant access any one of the network whether 14.1.1.0 or 15.1.1.0
if 14.1.1.0 is ok 15.1.1.0 is not accessable
and viceversa
there is no routing issue
i am able to access all the n/w from the concentrator
if 15.1.1.0 is not accessable if i did a traceroute
i am getting reply like
traceroute 15.1.1.54
* * * request timed out
* * * request timed out
* * * request timed out
200ms 138ms 140ms 202.56.15.2
252ms 134ms 243ms 15.1.1.54(kaveri.future.com)
i am getting like this
any idea mike thanks for your help
please reply soon
thanks
krish
07-25-2006 05:16 AM
Hi Krish, sorry for my late response.
Did you ensure all SA's are matching between VPN peers?
07-25-2006 07:29 AM
yes mike i am sure that the sa are matching at both the ends for isakmp the lifetime is 86400
for ipsec 28800
these are the default values i think if the sa are not matching means then the tunnel will not come up
in my case i have 5 diff subnets outof those we can access 3 n/w any time only problem with the two networks if one is accessable other one is not accessable like vice versa
my configuration looklike this
isakmp enable outside
isakmp keepalive 10 2
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
iskamp key ***** address 10.1.1.1 netmask 255.255.255.255
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map VPN 10 ipsec-isakmp
crypto map VPN 10 match address 100
crypto map VPN 10 set peer 10.1.1.2
crypto map VPN 10 set transform-set myset
crypto map VPN interface outside
IN Concentrator i haven't made any changes for isakmp
and ipsec (default values)some othertunnel are already configured and it is working
-------------------
i am planing to change the configuration on Concentrator
like if pix is getting ip from DHCP
in that case we have to treat the pix as a remote VPN client
in Concentrator Base group option i have to configure that!!!
My Question is if i configured on base group does it affect my other remote VPN tunnel
( Because in Concentrator lot of users are connected they are Configured on Groups)
mike my email ID is gopikrish83@hotmail.com
thanks for your help
krish
07-27-2006 12:51 AM
The situation is that we have the tunnel up, this is always so. We also have communication to 129.191 subnet, and this is always available, it is always active. What does happen is that we lose communication to 129.80 and 10.15.14 subnets, sometimes one and sometimes both. But we never loose communication to 129.191.
So the tunnel is up, and data is being transfered, however there seems to be a limited number of subnets to which data can be transfered without dropping connectivity to another subnet.
Today we tried a continuous ping to 129.80 and 10.15.14, as well as continuous connectivity to 129.191 subnet. When we opened connectivity to another subnet (129.155), 10.15.14 failed, and was restored, but 129.155 failed. Later 129.151 was connected, but 10.15.14 failed continuously.
So it would seem that only 3 subnets are reachable at any time.
Is this explainable?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide