Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3027
Views
0
Helpful
5
Replies

Site to Site IPSEC VPN Drops intermittently

Go to solution
eoin
Level 1
Level 1

‎01-28-2006 07:16 AM - edited ‎02-21-2020 02:13 PM

Site to Site IPSEC VPN Drops intermittently

I'm currently having a problem with a Site to Site VPN not passing traffic intermittently. When the problem occurs I cannot Ping from the remote site to the HQ Site. But I can resolve the problem by Pinging from the Hq to the Remote Site. My network is currently setup as follows

-------HQ------

Pix 515 Version 7.0(4) with 4 port Ethernet card.

Outside interface connected to DSL Broadband link.

Outside2 Interface connected to Second DSL Broadband link

-------Remote--------

I have 4 remote Sites. 2 sites connect to each Broadband connection at the HQ to spread the load at the HQ

Pix 501 version 6.3(5)

####### The Problem #######

All VPN's successfully establishes to the HQ Pix

Intermittently a remote site will report that they cannot connect to any servers/services in the HQ. When I do a show ipsec crypto sa and show crypto isakmp sa at the HQ there is no entries for the remote site. However when I do the same on the remote site there is an entry for the HQ. With debugging on the remote site pix I try to ping from a pc to the HQ Server and I get the following (see below). If I do a 'clear crypto ipsec Isakmp sa' and 'clear crypto ipsec sa' on the remote site pix I can then successfully ping all servers in the HQ.

This problem seem to have only occurred when I upgraded the pix from a 501 to 515 and added another 2 remote sites and a second Broadband connection as described above. I am worried that this is a problem with a Pix version 7 software. Any advice would be greatly appreciated.

Carrick-PIX01(config)# logging console 7

Carrick-PIX01(config)# ter mon

Carrick-PIX01(config)# exit

Carrick-PIX01# debug crypto ipsec

Carrick-PIX01# debug crypto isakmp

Carrick-PIX01#

ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3

ISAKMP (0): beginning Main Mode exchange

ISAKMP (0): retransmitting phase 1 (0)...

ISAKMP (0): retransmitting phase 1 (1)...

ISAKMP (0): retransmitting phase 1 (2)...

Carrick-PIX01#

Carrick-PIX01#

ISAKMP (0): retransmitting phase 1 (3)...

Carrick-PIX01#

Carrick-PIX01#

ISAKMP (0): retransmitting phase 1 (4)...IPSEC(key_engine): request timer fired: count = 1,

(identity) local= IP-EXTERNAL, remote= 86.43.74.16,

local_proxy= LAN-OFFICE/255.255.255.0/0/0 (type=4),

remote_proxy= 194.x.x.x.x.255.0/0/0 (type=4)

ISAKMP (0): deleting SA: src IP-EXTERNAL, dst 86.43.74.16

ISADB: reaper checking SA 0x10c167c, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 86.43.74.16/500 not found - peers:1

ISADB: reaper checking SA 0x10ca914, conn_id = 0

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
attrgautam
Level 5
Level 5

‎01-29-2006 02:08 AM

Can you force the ISAKMP Keepalive, IPSec SA Idle time to some value either side. That should solve the issue

crypto isakmp keepalive 30

crypto ipsec security-association idletime 60

Let me know if this helps

View solution in original post

0 Helpful
5 Replies 5

Go to solution
attrgautam
Level 5
Level 5

‎01-29-2006 02:08 AM

Can you force the ISAKMP Keepalive, IPSec SA Idle time to some value either side. That should solve the issue

crypto isakmp keepalive 30

crypto ipsec security-association idletime 60

Let me know if this helps

0 Helpful

Go to solution
eoin
Level 1
Level 1
In response to attrgautam

‎01-30-2006 03:30 AM

Thanks for teh information.

However I cannot find the command

crypto ipsec security-association idletime 60

on either the 7.0(4) or 6.3(5) versions of Pix

0 Helpful

Go to solution
attrgautam
Level 5
Level 5
In response to eoin

‎01-30-2006 03:54 AM

See if this helps crypto ipsec security-association lifetime

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a6.html#wp1026972. More info on this link

Guess Idle Life can be specified in routers only

0 Helpful

Go to solution
attrgautam
Level 5
Level 5
In response to eoin

‎02-05-2006 11:44 PM

out of curiousity, is your issue solved ?

0 Helpful

Go to solution
eoin
Level 1
Level 1
In response to attrgautam

‎02-06-2006 12:40 AM

Hi,

Sorry for the delay in replying.

This seems to have resolved my problem. It has been a week since it has happen last. the only ccommand I used was

isakmp keepalive 10 2

on both HQ site and Remote site. The only explanation I can this of is that there is some sort of bug in the version 7 software which was casuing this problem. I never had this problem up until I replaced the HQ site's pix from a 506 to a 515 with version 7 software.

0 Helpful
Customers Also Viewed These Support Documents