[c-nsp] Remote access VPN and Cisco PIX 515E connection problems
Adam Maloney
adam at whee.org
Thu Mar 30 17:37:37 EST 2006
I had a similar issue when running 7.0(2). I was getting users dropping
after having been logged in for awhile, but before I started
troubleshooting we also started having users not able to connect at all.
That one was easier to troubleshoot, and I found CSCsb76995 matched my
debug output and symptoms. Upgraded to 7.0(4) and both issues went away.
Never did figure out why they were dropping mid-session though.
Before you upgrade, read below about my issue today. It might help make
your decision about what version to jump to.
This morning after 35 issue-free days on 7.0(4), our PIX shat itself and
reloaded. I checked show crashinfo and found something that matched the
description for CSCsd03664. It's fixed in 7.1, but I checked out the open
issues in the latest 7.1 and wasn't comfortable with it. Cisco is
advising me to wait until 7.2. I'm waiting on more details about what
causes CSCsd03664 so I can make sure I can limp by with the current bug
(i.e., I'll get at least a few days at a time out of it) until 7.2 comes
out.
On Thu, 30 Mar 2006, Prabhu Gurumurthy wrote:
> We have a Cisco PIX 515E configured as a VPN server.
>
> It runs 7.0(2), with 16 MB flash, 128MB RAM.
> Configuration for VPN is below:
>
> Problems that I am facing:
> Lot of VPN users who are using Cisco VPN client say that their session drops
> midway, when they have their session up and running. As you can see from the
> group-policy, there is no timeout set either for idle or for session. I asked
> my users about the network setup that they have at home and asked them to
> enable logging on their Cisco VPN client and send me the logs, which couple
> of them did. I have not attached any logs with this email, but I see only 2
> things when the VPN session dies.
> 1. DEL_REASON_ADDRESS_CHANGE
> 2. DEL_REASON_PEER_NOT_RESPONDING
>
> I know about DEL_REASON_ADDRESS_CHANGE, it means that either the, client
> address got changed somehow when it renewed it IP, or their wireless is
> flaky, I strongly suspect the latter.
>
> When I googled DEL_REASON_PEER_NOT_RESPONDING, I got this link
> https://access.llnl.gov/vpn/vpn3000-moreinfo.html of the many, which explains
> the error type. Other links also point to 1. as the possible scenario. Cisco
> TAC confirms that there is no apparent problem with my configuration. I have
> a separate network setup, where I have 2 laptops connecting over Linksys
> WAP11 Access point (remember it acts a just AP, it does not do DHCP or DNS or
> routing or firewalling) to the VPN and the connection has been up for more
> than 2 days as I type.
>
> Most VPN users who are facing problems, are running MAC, not MBP just MAC
> 10.3.X and above.
>
> BTW, Lan 2 Lan tunnel works like a charm, with no problems whatsoever, apart
> from some latency involved, but that understandable and it is variable as
> well.
>
> I have also asked my users to test the VPN connection using wired connection,
> but some of them are reluctant to do so, their theory is that how come it was
> working with our previous VPN before. We used to have Cisco 2621XM with VPN
> module acting as a VPN server, before we got Cisco PIX 515E. I am kind of
> stumbled at this point. FWIW, many users do face this problem at all, infact
> they say that this VPN is better than before.
>
> Any suggestion, related links, solutions will be very much appreciated.
>
> Thanks
> Prabhu
>
> Here is the configuration for remote access VPN and Lan to Lan VPN:
> ----------------
>
> crypto ipsec transform-set GW_SET esp-3des esp-md5-hmac
> crypto ipsec transform-set RAVPN_SET esp-aes-256 esp-sha-hmac
> crypto ipsec transform-set VPN29_SET esp-aes-256 esp-sha-hmac
> crypto ipsec security-association lifetime seconds 3600
> crypto ipsec df-bit clear-df dmz
> crypto ipsec df-bit clear-df outside
> crypto dynamic-map RA_MAP 1 set transform-set RAVPN_SET
> crypto dynamic-map RA_MAP 1 set security-association lifetime seconds 1800
> crypto map VPN_MAP 1 match address SSN29
> crypto map VPN_MAP 1 set pfs group5
> crypto map VPN_MAP 1 set peer C501_2929
> crypto map VPN_MAP 1 set transform-set VPN29_SET
> crypto map VPN_MAP 1 set nat-t-disable
> crypto map VPN_MAP 2 match address GW_VPN
> crypto map VPN_MAP 2 set pfs group1
> crypto map VPN_MAP 2 set peer GW_014500FC94
> crypto map VPN_MAP 2 set transform-set GW_SET
> crypto map VPN_MAP 2 set nat-t-disable
> crypto map VPN_MAP 65535 ipsec-isakmp dynamic RA_MAP
> crypto map VPN_MAP interface outside
> isakmp identity auto
> isakmp enable outside
> isakmp policy 1 authentication pre-share
> isakmp policy 1 encryption aes-256
> isakmp policy 1 hash sha
> isakmp policy 1 group 2
> isakmp policy 1 lifetime 1800
> isakmp policy 2 authentication pre-share
> isakmp policy 2 encryption 3des
> isakmp policy 2 hash md5
> isakmp policy 2 group 2
> isakmp policy 2 lifetime 1800
>
> ----------------------------------------------
> Corresponding tunnel group information:
>
> tunnel-group X.X.X.X type ipsec-l2l
> tunnel-group X.X.X.X ipsec-attributes
> pre-shared-key *
> tunnel-group Y.Y.Y.Y type ipsec-l2l
> tunnel-group Y.Y.Y.Y ipsec-attributes
> pre-shared-key *
> tunnel-group SilverPix type ipsec-ra
> tunnel-group SilverPix general-attributes
> address-pool RAVPN_POOL
> authentication-server-group RADIUS LOCAL
> default-group-policy RAVPN_POLICY
> tunnel-group SilverPix ipsec-attributes
> pre-shared-key *
>
> -----------------------------------------------
> Corresponding group policy information:
>
> group-policy RAVPN_POLICY internal
> group-policy RAVPN_POLICY attributes
> banner value Welcome to Silver Spring Networks!
> wins-server value SILVER_NS1
> dns-server value SILVER_NS1 SILVER_NS2
> dhcp-network-scope 10.206.0.0
> vpn-idle-timeout none
> vpn-session-timeout none
> pfs enable
> ipsec-udp enable
> split-tunnel-policy tunnelspecified
> split-tunnel-network-list value RAVPN
> default-domain value silverspringnet.com
> ------------------------------------------------
>
More information about the cisco-nsp
mailing list