VPN Tunnel Question

k.nebroski · ‎01-13-2005

Hi,

I have a PIX 515e that has VPN tunnels that connect to 4 other sites. 1 site has 4 users that run MS Terminal Services to our TS server. 2 of the other sites run a "kermit 95" emulation to a unix box. Each of those sites complain that the application hangs up and they lose their connection. The site with the MS TS app doesn't. All three sites are basically configured the same. How do I tell if the tunnel is dropping or if it is something else. When I run the sh crypto isakmp sa I see the following:

Total : 4

Embryonic : 0

dst src state pending created

pix site1 QM_IDLE 0 16

pix site2 QM_IDLE 0 0

site3 pix QM_IDLE 0 1

site4 pix QM_IDLE 0 32

If you notice that the # under the "created" heading increases through out the day for site1 and site4, the 2 troubled sites. Is this related, or even a concern?

I can turn debugging on, but have no idea what to look for.

ehirsel · ‎01-13-2005

Run the sh isakmp sa detail command - this will give you the lifetime of the phase 1 sa. It could be that those sites that have connection drops use a very low phase 1 sa timeout, relative to the phase 2 sa lifetime. You not only need to check the lifetimes on your end, but the other end as well.

Are you running a pix in a FO configuration, or are there multiple peers on the other end. Coding the isakmp keepalive on both ends will allow for peer gw loss.

Let me know what the current phase1 and phase2 lifetime values are on both ends for the sites 1 and 4.

The debug crypto isakmp and debug crypto ipsec commands are useful troubleshooting tools - to start just run the isakmp debug as this will look at phase 1 only and not clog the log but still give enough info to start troubleshooting. What to look for are messages that indicate a renegotiation of IKE - you will see messages comparing what was sent to you pix to the defined ike polices and what was matched (and what was not). If keepalives are coded, you will see messages relating to that, and you will see ike sa deletion messages too.

k.nebroski · ‎01-14-2005

Thanks for the reply. I'm not sure what you mean by "FO", but each of the tunnels has multiple clients (peers???) on the other side accessing the servers here at the home (pix) location. The pix location and site4 have keepalives set. the pix has "isakmp keepalive 120", site4 has a Cisco 1711 router has the same. Thought that maybe the keepalive would stop the clients from loosing their session. There isn't a "no" version of the keepalive command, so if I want to stop it which command would I use?

ehirsel · ‎01-14-2005

FO means failover. That applies if you have two pix units operating with one acting as a standby that only becomes active if the other unit lost power or a network connection, or had the code crash.

I believe that your isakmp keepalive is set to high - as more than one keepalive interval has to be missed for the the IPSec sa's to get established with the other peers. You may want to try setting the value to a lower limit such as 30 seconds.

If you want to disable keepalive I believe that the command should be this: no crytpo isakmp keepalive (or no isakmp keepalive. This is a global setting.

If none of this seems to help, then you can run the debug crypto isakmp and debug crypto ipsec commands to diagnose the problem. You may want to run a network trace using Etherreal or the sniffer too at the user site.