Re: VPN connection keeps dropping

nukeguzzle · ‎02-13-2007

Hello,

I have a PIX 501 that is connecting to our main ASA 5510. The 5510 is the hub and the 501 is the spoke in our VPN setup. All other spokes in our network are working fine. One of our sites is having a problem. The PIX will load up, and work for just a few seconds, then will cease to connect. The PIX is still powered on and we are able to telnet in, show int on E0 lists up and up. We are not however able to SSH into the PIX, but we CAN ping the external interface. We tried reloading, which works for a few seconds, then fails. We also did a clear cry ipsec sa command and that does not fix it. We did some logging and it looks like it tries to build the VPN, then tears it down, then repeats the process over and over. We also removed and re-added the isakmp key to no avail. Any help is appreciated

Thanks.

Kamal Malhotra · ‎02-13-2007

Hi,

It will be difficult for anyone to suggest anything without looking at the config so I would appreciate if you send the config of both the devices so that we can look into it.

Kamal

nukeguzzle · ‎02-13-2007

PIX 501:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname GreenbriarConst

domain-name comapny.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list acl_outside permit icmp any any echo

access-list acl_outside permit icmp any any echo-reply

access-list acl_outside permit icmp any any time-exceeded

access-list acl_outside permit icmp any any unreachable

access-list acl_outside permit icmp any any source-quench

access-list acl_outside permit udp any any eq isakmp

access-list acl_outside permit esp any any

access-list NONAT permit ip 192.168.51.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list NONAT permit ip 192.168.51.0 255.255.255.0 192.168.110.0 255.255.255.0

access-list 51 permit ip 192.168.51.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list 51 permit ip 192.168.51.0 255.255.255.0 192.168.110.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside "PIX 501 IP" 255.255.255.248

ip address inside 192.168.51.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group acl_outside in interface outside

route outside 0.0.0.0 0.0.0.0 "Default Gateway" 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set f!stone esp-des esp-md5-hmac

crypto ipsec transform-set FSH3des esp-3des esp-md5-hmac

crypto map client-map 51 ipsec-isakmp

crypto map client-map 51 match address 51

crypto map client-map 51 set peer ASA IP

crypto map client-map 51 set transform-set FSH3des

crypto map client-map client configuration address initiate

crypto map client-map client configuration address respond

crypto map client-map interface outside

isakmp enable outside

isakmp key ******** address ASA IP netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption 3des

isakmp policy 2 hash md5

isakmp policy 2 group 2

isakmp policy 2 lifetime 86400

telnet 192.168.51.0 255.255.255.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd address 192.168.51.1-192.168.51.10 inside

dhcpd dns 192.168.100.249 192.168.100.227

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain company.com

dhcpd enable inside

terminal width 80

Cryptochecksum:xxx

nukeguzzle · ‎02-13-2007

ASA(Config is too long to fit here, I'll post the parts necessary. All other sites are not having this same problem):

access-list NONAT extended permit ip 192.168.100.0 255.255.255.0 192.168.51.0 255.255.255.0

access-list NONAT extended permit ip 192.168.110.0 255.255.255.0 192.168.51.0 255.255.255.0

access-list 51 extended permit ip 192.168.100.0 255.255.255.0 192.168.51.0 255.255.255.0

access-list 51 extended permit ip 192.168.110.0 255.255.255.0 192.168.51.0 255.255.255.0

crypto map client-map 51 match address 51

crypto map client-map 51 set peer "PIX 501 IP"

crypto map client-map 51 set transform-set FSH3des

tunnel-group "PIX 501 IP" type ipsec-l2l

tunnel-group "PIX 501 IP ipsec-attributes

pre-shared-key *

Before hiding my external IP's I confirmed they were correct in all places. And since it does work sometimes, that shouldn't matter

Thanks