[c-nsp] Remote access VPN and Cisco PIX 515E connection problems

Prabhu Gurumurthy pgurumu at gmail.com
Thu Mar 30 17:10:30 EST 2006 

We have a Cisco PIX 515E configured as a VPN server.

It runs 7.0(2), with 16 MB flash, 128MB RAM.
Configuration for VPN is below:

Problems that I am facing:
Lot of VPN users who are using Cisco VPN client say that their session 
drops midway, when they have their session up and running. As you can 
see from the group-policy, there is no timeout set either for idle or 
for session. I asked my users about the network setup that they have at 
home and asked them to enable logging on their Cisco VPN client and send 
me the logs, which couple of them did. I have not attached any logs with 
this email, but I see only 2 things when the VPN session dies.
1. DEL_REASON_ADDRESS_CHANGE
2. DEL_REASON_PEER_NOT_RESPONDING

I know about DEL_REASON_ADDRESS_CHANGE, it means that either the, client 
address got changed somehow when it renewed it IP, or their wireless is 
flaky, I strongly suspect the latter.

When I googled DEL_REASON_PEER_NOT_RESPONDING, I got this link
https://access.llnl.gov/vpn/vpn3000-moreinfo.html of the many, which 
explains the error type. Other links also point to 1. as the possible 
scenario. Cisco TAC confirms that there is no apparent problem with my 
configuration. I have a separate network setup, where I have 2 laptops 
connecting over Linksys WAP11 Access point (remember it acts a just AP, 
it does not do DHCP or DNS or routing or firewalling) to the VPN and the 
connection has been up for more than 2 days as I type.

Most VPN users who are facing problems, are running MAC, not MBP just 
MAC 10.3.X and above.

BTW, Lan 2 Lan tunnel works like a charm, with no problems whatsoever, 
apart from some latency involved, but that understandable and it is 
variable as well.

I have also asked my users to test the VPN connection using wired 
connection, but some of them are reluctant to do so, their theory is 
that how come it was working with our previous VPN before. We used to 
have Cisco 2621XM with VPN module acting as a VPN server, before we got 
Cisco PIX 515E. I am kind of stumbled at this point. FWIW, many users do 
  face this problem at all, infact they say that this VPN is better than 
before.

Any suggestion, related links, solutions will be very much appreciated.

Thanks
Prabhu

Here is the configuration for remote access VPN and Lan to Lan VPN:
----------------

crypto ipsec transform-set GW_SET esp-3des esp-md5-hmac
crypto ipsec transform-set RAVPN_SET esp-aes-256 esp-sha-hmac
crypto ipsec transform-set VPN29_SET esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec df-bit clear-df dmz
crypto ipsec df-bit clear-df outside
crypto dynamic-map RA_MAP 1 set transform-set RAVPN_SET
crypto dynamic-map RA_MAP 1 set security-association lifetime seconds 1800
crypto map VPN_MAP 1 match address SSN29
crypto map VPN_MAP 1 set pfs group5
crypto map VPN_MAP 1 set peer C501_2929
crypto map VPN_MAP 1 set transform-set VPN29_SET
crypto map VPN_MAP 1 set nat-t-disable
crypto map VPN_MAP 2 match address GW_VPN
crypto map VPN_MAP 2 set pfs group1
crypto map VPN_MAP 2 set peer GW_014500FC94
crypto map VPN_MAP 2 set transform-set GW_SET
crypto map VPN_MAP 2 set nat-t-disable
crypto map VPN_MAP 65535 ipsec-isakmp dynamic RA_MAP
crypto map VPN_MAP interface outside
isakmp identity auto
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 1800
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash md5
isakmp policy 2 group 2
isakmp policy 2 lifetime 1800

----------------------------------------------
Corresponding tunnel group information:

tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
  pre-shared-key *
tunnel-group Y.Y.Y.Y type ipsec-l2l
tunnel-group Y.Y.Y.Y ipsec-attributes
  pre-shared-key *
tunnel-group SilverPix type ipsec-ra
tunnel-group SilverPix general-attributes
  address-pool RAVPN_POOL
  authentication-server-group RADIUS LOCAL
  default-group-policy RAVPN_POLICY
tunnel-group SilverPix ipsec-attributes
  pre-shared-key *

-----------------------------------------------
Corresponding group policy information:

group-policy RAVPN_POLICY internal
group-policy RAVPN_POLICY attributes
  banner value Welcome to Silver Spring Networks!
  wins-server value SILVER_NS1
  dns-server value SILVER_NS1 SILVER_NS2
  dhcp-network-scope 10.206.0.0
  vpn-idle-timeout none
  vpn-session-timeout none
  pfs enable
  ipsec-udp enable
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value RAVPN
  default-domain value silverspringnet.com
------------------------------------------------

More information about the cisco-nsp mailing list