Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
259
Views
0
Helpful
1
Replies

trouble with an Easy VPN site connecting windows traffic back to head end

emil.hlucky
Level 1
Level 1

‎07-27-2006 06:41 AM - edited ‎02-21-2020 02:33 PM

To all cisco gurus:

We have an easy VPN office connections back to our corporate site. At corporate, we have a cisco pix 515 firewall and all the sites have cisco 501s. All sites work OK except for one. Nearly everyday they have to reset the 501 in order to have ALL users connect to the windows domain. The strange thing is some users on their segment can connect, and some can't. This happens nearly everyday and with different users each time.

Once they reboot the pix, all users can connect and we (in corp) can real vnc into their stations.

We have tried everything including replacing the pix with another one, changing the fixup protocol dns maximum-length to 2048 but still nothing.

here is the config of the remote pix:

Cisco PIX Firewall Version 6.3(4)

Cisco PIX Device Manager Version 3.0(2)

Compiled on Fri 02-Jul-04 00:07 by morlee

here are our DNS/Wins config:

dhcpd dns 192.168.0.254 192.168.0.250 (back 2 corporate)

dhcpd wins 192.168.0.254 192.168.0.250 (back 2 corporate)

dhcpd lease 2600

dhcpd ping_timeout 750

here is our fixup protocol:

fixup protocol dns maximum-length 2048

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

Now I am by no strech a cisco guru ... we basically forrest gumped our way through this setup. So any help would be appreciated.

Thanks,

Emil

Labels:
0 Helpful
1 Reply 1

guibarati
Level 4
Level 4

‎08-01-2006 04:40 AM

You could try the

no sysopt proxy-arp {interface} (probably the inside)

sometimes depending on your network configuration the pix can be responding the arp request of the stations with it's on mac address for the Active Directory's IP address. I dont know if the command is exactly this one, but the point is, disabe the proxy arp function on the inside interface.

this is if the AD server is in the same site of the users.

Otherwise, if the AD server is on the headquarter you could see the number of licences in the pix, maybe you have a 10 users licence, and try to connect more people.

0 Helpful
Customers Also Viewed These Support Documents