Network Security: Detailed info on RE: IPSec tunnel on Pix drops on a regular basis and I'm gooing nuts try

Subject:	RE: IPSec tunnel on Pix drops on a regular basis and I'm gooing nuts trying to find out why on a permanent basis...
Date:	Mon, 16 May 2005 16:51:11 +0100

I couldn't pick it out of the config so forgive me if its in there but
what OS versions are they running?

I had an issue a while ago where an older version of the OS didn't like
a VPN on a new firewall with similar results. I believe the old firewall
was running 6.1

-----Original Message-----
From: Mollemans, Bart [mailto:bart.mollemans@getronics.com] 
Sent: 11 May 2005 16:11
To: firewalls@securityfocus.com
Subject: IPSec tunnel on Pix drops on a regular basis and I'm gooing
nuts trying to find out why on a permanent basis...

All,
 
I'm having issues with 2 nasty pix devices 506E and the tunnel between
them.
a quick sketch of the situation:
We have over 30 remote sites all with Pix devices set-up in a similar
way but these 2 keep causing issues; Connectivity between the 2 drops on
irregular basis. But verry frequently, several times a day.
Both sites we'll call them Site A and Site B have a tunnel to Site C
which never has an issue and each has a third site; Site D and Site E.
Who don't have an issue neither... :(
When I check at the time the tunnel is causing issues there are 2
scenarios that appear:
 
1. The isakmp tunnel is up. When I ping from a device on the lan of site
A to a device on the lan of Site B the icmp enters the tunnel gets
decrypted on the other Site B side, the device at site B replies but the
reply never gets encrypted by Site B ... reload pix issue solved...
 
2. The isakmp tunnel is down. Debug info shows then negotiating but for
a reason unknown to me the negotiation keeps timeing-out and all that
helps is a reload... 
 
Whatever the scenario the wan connectivity to both pix' is ok for the
duration and the interfaces show no error stats...
 
I'm desperate... annyone have a clue, a hint a vague sugestion on how to
proceed???
 
below a little config excerpt of the pix' on both sites...
 
 
Site A pix:
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
crypto ipsec transform-set siteaset esp-des esp-sha-hmac 
crypto map siteamap 10 ipsec-isakmp
crypto map siteamap 10 match address SIteC
crypto map siteamap 10 set peer SiteB
crypto map siteamap 10 set transform-set siteaset
crypto map siteamap 10 set security-association lifetime seconds 3600
kilobytes 4608000
crypto map siteamap 20 ipsec-isakmp
crypto map siteamap 20 match address SiteD
crypto map siteamap 20 set peer SiteC
crypto map siteamap 20 set transform-set siteaset
crypto map siteamap 20 set security-association lifetime seconds 3600
kilobytes 4608000
crypto map siteamap 30 ipsec-isakmp
crypto map siteamap 30 match address SiteB
crypto map siteamap 30 set peer SiteD
crypto map siteamap 30 set transform-set siteaset
crypto map siteamap 30 set security-association lifetime seconds 3600
kilobytes 4608000
crypto map siteamap interface outside
isakmp enable outside
isakmp key ******** address siteB netmask 255.255.255.255
isakmp key ******** address SiteC netmask 255.255.255.255 
isakmp key ******** address SiteD netmask 255.255.255.255 
isakmp identity address
isakmp keepalive 10
isakmp log 50000
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
 
 
Site B pix:
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
crypto ipsec transform-set sitebset esp-des esp-sha-hmac
crypto map sitebmap 10 ipsec-isakmp
crypto map sitebmap 10 match address SiteC
crypto map sitebmap 10 set peer 212.123.3.3
crypto map sitebmap 10 set transform-set sitebset
crypto map sitebmap 10 set security-association lifetime seconds 3600
kilobytes 4608000
crypto map sitebmap 20 ipsec-isakmp
crypto map sitebmap 20 match address SiteE
crypto map sitebmap 20 set peer 218.189.223.37
crypto map sitebmap 20 set transform-set sitebset
crypto map sitebmap 20 set security-association lifetime seconds 3600
kilobytes 4608000
crypto map sitebmap 30 ipsec-isakmp
crypto map sitebmap 30 match address SiteA
crypto map sitebmap 30 set peer 212.60.194.36
crypto map sitebmap 30 set transform-set sitebset
crypto map sitebmap 30 set security-association lifetime seconds 3600
kilobytes 4608000
crypto map sitebmap interface outside
isakmp enable outside
isakmp key ******** address SiteA netmask 255.255.255.255 
isakmp key ******** address SiteC netmask 255.255.255.255 
isakmp key ******** address SiteE netmask 255.255.255.255 
isakmp identity address
isakmp keepalive 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400

<Prev in Thread]	Current Thread	[Next in Thread>
IPSec tunnel on Pix drops on a regular basis and I'm gooing nuts trying to find out why on a permanent basis..., Mollemans, Bart RE: IPSec tunnel on Pix drops on a regular basis and I'm gooing nuts trying to find out why on a permanent basis..., Andrew Shore <= RE: IPSec tunnel on Pix drops on a regular basis and I'm gooing nuts trying to find out why on a permanent basis..., Beauford, Jason

Previous by Date:	Re: Topology ideal., David Thomaz
Next by Date:	Re: Bypassing Firewalls, greyhat
Previous by Thread:	IPSec tunnel on Pix drops on a regular basis and I'm gooing nuts trying to find out why on a permanent basis..., Mollemans, Bart
Next by Thread:	RE: IPSec tunnel on Pix drops on a regular basis and I'm gooing nuts trying to find out why on a permanent basis..., Beauford, Jason
Indexes:	[Date] [Thread] [Top] [All Lists]