Why are your SA lifetimes set to 3600 and 1800? By setting the dynamic
crypto to 1800, you are telling the PIX to end the session after 30 minutes
and renegotiate SAs. It is probably having trouble renegotiating these SAs
since the peer IP address is changing. I would bump this up to at least 1
hour (3600) or higher and see if the problem goes away. You could also try
enabling keepalives on the link to make sure the session stays up even with
user inactivity. Bottom line, it sounds like the PIX is having trouble
reestablishing the SA with the remote peer since its IP changed.
Hope this helps!
Aaron
----- Original Message -----
From: "Victor Williams" <vbwilliams@neb.rr.com>
To: <pgurumu@gmail.com>
Cc: <firewalls@securityfocus.com>; <firewall-wizards@honor.icsalabs.com>
Sent: Friday, March 31, 2006 7:03 PM
Subject: Re: [fw-wiz] Remote access VPN and Cisco PIX 515E connection
problems
The first thing I would try is looking at all the bugs that were
discovered since the first version of PIX OS 7 and see if any apply.
Then, I would upgrade to the latest stable version of PIX OS 7. Likewise
with the VPN client software in question.
PIX OS 7.0.2 was full of problems and is more than 6 months old. Last I
looked (a couple days ago), 7.1.2 was the latest version being offered.
If you've got a CCO account and active smartnet contract, you should be
able to download the latest version for free.
Prabhu Gurumurthy wrote:
We have a Cisco PIX 515E configured as a VPN server.
It runs 7.0(2), with 16 MB flash, 128MB RAM.
Configuration for VPN is below:
Problems that I am facing:
Lot of VPN users who are using Cisco VPN client say that their session
drops midway, when they have their session up and running. As you can see
from the group-policy, there is no timeout set either for idle or for
session. I asked my users about the network setup that they have at home
and asked them to enable logging on their Cisco VPN client and send me
the logs, which couple of them did. I have not attached any logs with
this email, but I see only 2 things when the VPN session dies.
1. DEL_REASON_ADDRESS_CHANGE
2. DEL_REASON_PEER_NOT_RESPONDING
I know about DEL_REASON_ADDRESS_CHANGE, it means that either the, client
address got changed somehow when it renewed it IP, or their wireless is
flaky, I strongly suspect the latter.
When I googled DEL_REASON_PEER_NOT_RESPONDING, I got this link
https://access.llnl.gov/vpn/vpn3000-moreinfo.html of the many, which
explains the error type. Other links also point to 1. as the possible
scenario. Cisco TAC confirms that there is no apparent problem with my
configuration. I have a separate network setup, where I have 2 laptops
connecting over Linksys WAP11 Access point (remember it acts a just AP,
it does not do DHCP or DNS or routing or firewalling) to the VPN and the
connection has been up for more than 2 days as I type.
Most VPN users who are facing problems, are running MAC, not MBP just MAC
10.3.X and above.
BTW, Lan 2 Lan tunnel works like a charm, with no problems whatsoever,
apart from some latency involved, but that understandable and it is
variable as well.
I have also asked my users to test the VPN connection using wired
connection, but some of them are reluctant to do so, their theory is that
how come it was working with our previous VPN before. We used to have
Cisco 2621XM with VPN module acting as a VPN server, before we got Cisco
PIX 515E. I am kind of stumbled at this point. FWIW, many users do face
this problem at all, infact they say that this VPN is better than before.
Any suggestion, related links, solutions will be very much appreciated.
Thanks
Prabhu
Here is the configuration for remote access VPN and Lan to Lan VPN:
----------------
crypto ipsec transform-set GW_SET esp-3des esp-md5-hmac
crypto ipsec transform-set RAVPN_SET esp-aes-256 esp-sha-hmac
crypto ipsec transform-set VPN29_SET esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec df-bit clear-df dmz
crypto ipsec df-bit clear-df outside
crypto dynamic-map RA_MAP 1 set transform-set RAVPN_SET
crypto dynamic-map RA_MAP 1 set security-association lifetime seconds
1800
crypto map VPN_MAP 1 match address SSN29
crypto map VPN_MAP 1 set pfs group5
crypto map VPN_MAP 1 set peer C501_2929
crypto map VPN_MAP 1 set transform-set VPN29_SET
crypto map VPN_MAP 1 set nat-t-disable
crypto map VPN_MAP 2 match address GW_VPN
crypto map VPN_MAP 2 set pfs group1
crypto map VPN_MAP 2 set peer GW_014500FC94
crypto map VPN_MAP 2 set transform-set GW_SET
crypto map VPN_MAP 2 set nat-t-disable
crypto map VPN_MAP 65535 ipsec-isakmp dynamic RA_MAP
crypto map VPN_MAP interface outside
isakmp identity auto
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 1800
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash md5
isakmp policy 2 group 2
isakmp policy 2 lifetime 1800
----------------------------------------------
Corresponding tunnel group information:
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *
tunnel-group Y.Y.Y.Y type ipsec-l2l
tunnel-group Y.Y.Y.Y ipsec-attributes
pre-shared-key *
tunnel-group SilverPix type ipsec-ra
tunnel-group SilverPix general-attributes
address-pool RAVPN_POOL
authentication-server-group RADIUS LOCAL
default-group-policy RAVPN_POLICY
tunnel-group SilverPix ipsec-attributes
pre-shared-key *
-----------------------------------------------
Corresponding group policy information:
group-policy RAVPN_POLICY internal
group-policy RAVPN_POLICY attributes
banner value Welcome to Silver Spring Networks!
wins-server value SILVER_NS1
dns-server value SILVER_NS1 SILVER_NS2
dhcp-network-scope 10.206.0.0
vpn-idle-timeout none
vpn-session-timeout none
pfs enable
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RAVPN
default-domain value silverspringnet.com
------------------------------------------------
--
Victor Williams
Network Architect
SSCP, RHCE
vbwilliams@neb.rr.com
CONFIDENTIALITY NOTICE:
This e-mail transmission and any documents, files or previous e-mail
messages attached to it may contain information that is confidential,
protected by the attorney/client or other privileges, and may constitute
non-public information. It is intended to be conveyed only to the
designated recipient(s) named above. Any unauthorized use, reproduction,
forwarding, distribution or other dissemination of this transmission is
strictly prohibited and may be unlawful. If you are not an intended
recipient of this e-mail transmission, please notify the sender by return
e-mail and permanently delete any record of this transmission. Your
cooperation is appreciated.
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
