[c-nsp] Remote access VPN and Cisco PIX 515E connection problems

Andrew Yourtchenko ayourtch at cisco.com
Fri Mar 31 07:11:50 EST 2006 

Adam,

I've looked at CSCsd03664 - and there's a note from the development folks 
that the crash itself is avoided by the fixes from CSCsc08188 - which is 
available in 7.0.4.5. The root cause is still under investigation within 
CSCsd61844 - however you should not have anymore the crash due to 
CSCsd03664 once you move to an image with the fix for CSCsc08188 - i.e. 
7.0.4.5 and up.

I've updated the release-note for CSCsd03664 to reflect these facts.
If you still have any troubles after giving a shot to the image with the 
fix for CSCsc08188 - feel free to open up a case with TAC.

thanks,
andrew

On Thu, 30 Mar 2006, Adam Maloney wrote:

> I had a similar issue when running 7.0(2).  I was getting users dropping
> after having been logged in for awhile, but before I started
> troubleshooting we also started having users not able to connect at all.
> That one was easier to troubleshoot, and I found CSCsb76995 matched my
> debug output and symptoms.  Upgraded to 7.0(4) and both issues went away.
> Never did figure out why they were dropping mid-session though.
>
> Before you upgrade, read below about my issue today.  It might help make
> your decision about what version to jump to.
>
> This morning after 35 issue-free days on 7.0(4), our PIX shat itself and
> reloaded.  I checked show crashinfo and found something that matched the
> description for CSCsd03664.  It's fixed in 7.1, but I checked out the open
> issues in the latest 7.1 and wasn't comfortable with it.  Cisco is
> advising me to wait until 7.2.  I'm waiting on more details about what
> causes CSCsd03664 so I can make sure I can limp by with the current bug
> (i.e., I'll get at least a few days at a time out of it) until 7.2 comes
> out.
>
> On Thu, 30 Mar 2006, Prabhu Gurumurthy wrote:
>
>> We have a Cisco PIX 515E configured as a VPN server.
>>
>> It runs 7.0(2), with 16 MB flash, 128MB RAM.
>> Configuration for VPN is below:
>>
>> Problems that I am facing:
>> Lot of VPN users who are using Cisco VPN client say that their session drops
>> midway, when they have their session up and running. As you can see from the
>> group-policy, there is no timeout set either for idle or for session. I asked
>> my users about the network setup that they have at home and asked them to
>> enable logging on their Cisco VPN client and send me the logs, which couple
>> of them did. I have not attached any logs with this email, but I see only 2
>> things when the VPN session dies.
>> 1. DEL_REASON_ADDRESS_CHANGE
>> 2. DEL_REASON_PEER_NOT_RESPONDING
>>
>> I know about DEL_REASON_ADDRESS_CHANGE, it means that either the, client
>> address got changed somehow when it renewed it IP, or their wireless is
>> flaky, I strongly suspect the latter.
>>
>> When I googled DEL_REASON_PEER_NOT_RESPONDING, I got this link
>> https://access.llnl.gov/vpn/vpn3000-moreinfo.html of the many, which explains
>> the error type. Other links also point to 1. as the possible scenario. Cisco
>> TAC confirms that there is no apparent problem with my configuration. I have
>> a separate network setup, where I have 2 laptops connecting over Linksys
>> WAP11 Access point (remember it acts a just AP, it does not do DHCP or DNS or
>> routing or firewalling) to the VPN and the connection has been up for more
>> than 2 days as I type.
>>
>> Most VPN users who are facing problems, are running MAC, not MBP just MAC
>> 10.3.X and above.
>>
>> BTW, Lan 2 Lan tunnel works like a charm, with no problems whatsoever, apart
>> from some latency involved, but that understandable and it is variable as
>> well.
>>
>> I have also asked my users to test the VPN connection using wired connection,
>> but some of them are reluctant to do so, their theory is that how come it was
>> working with our previous VPN before. We used to have Cisco 2621XM with VPN
>> module acting as a VPN server, before we got Cisco PIX 515E. I am kind of
>> stumbled at this point. FWIW, many users do  face this problem at all, infact
>> they say that this VPN is better than before.
>>
>> Any suggestion, related links, solutions will be very much appreciated.
>>
>> Thanks
>> Prabhu
>>
>> Here is the configuration for remote access VPN and Lan to Lan VPN:
>> ----------------
>>
>> crypto ipsec transform-set GW_SET esp-3des esp-md5-hmac
>> crypto ipsec transform-set RAVPN_SET esp-aes-256 esp-sha-hmac
>> crypto ipsec transform-set VPN29_SET esp-aes-256 esp-sha-hmac
>> crypto ipsec security-association lifetime seconds 3600
>> crypto ipsec df-bit clear-df dmz
>> crypto ipsec df-bit clear-df outside
>> crypto dynamic-map RA_MAP 1 set transform-set RAVPN_SET
>> crypto dynamic-map RA_MAP 1 set security-association lifetime seconds 1800
>> crypto map VPN_MAP 1 match address SSN29
>> crypto map VPN_MAP 1 set pfs group5
>> crypto map VPN_MAP 1 set peer C501_2929
>> crypto map VPN_MAP 1 set transform-set VPN29_SET
>> crypto map VPN_MAP 1 set nat-t-disable
>> crypto map VPN_MAP 2 match address GW_VPN
>> crypto map VPN_MAP 2 set pfs group1
>> crypto map VPN_MAP 2 set peer GW_014500FC94
>> crypto map VPN_MAP 2 set transform-set GW_SET
>> crypto map VPN_MAP 2 set nat-t-disable
>> crypto map VPN_MAP 65535 ipsec-isakmp dynamic RA_MAP
>> crypto map VPN_MAP interface outside
>> isakmp identity auto
>> isakmp enable outside
>> isakmp policy 1 authentication pre-share
>> isakmp policy 1 encryption aes-256
>> isakmp policy 1 hash sha
>> isakmp policy 1 group 2
>> isakmp policy 1 lifetime 1800
>> isakmp policy 2 authentication pre-share
>> isakmp policy 2 encryption 3des
>> isakmp policy 2 hash md5
>> isakmp policy 2 group 2
>> isakmp policy 2 lifetime 1800
>>
>> ----------------------------------------------
>> Corresponding tunnel group information:
>>
>> tunnel-group X.X.X.X type ipsec-l2l
>> tunnel-group X.X.X.X ipsec-attributes
>> pre-shared-key *
>> tunnel-group Y.Y.Y.Y type ipsec-l2l
>> tunnel-group Y.Y.Y.Y ipsec-attributes
>> pre-shared-key *
>> tunnel-group SilverPix type ipsec-ra
>> tunnel-group SilverPix general-attributes
>> address-pool RAVPN_POOL
>> authentication-server-group RADIUS LOCAL
>> default-group-policy RAVPN_POLICY
>> tunnel-group SilverPix ipsec-attributes
>> pre-shared-key *
>>
>> -----------------------------------------------
>> Corresponding group policy information:
>>
>> group-policy RAVPN_POLICY internal
>> group-policy RAVPN_POLICY attributes
>> banner value Welcome to Silver Spring Networks!
>> wins-server value SILVER_NS1
>> dns-server value SILVER_NS1 SILVER_NS2
>> dhcp-network-scope 10.206.0.0
>> vpn-idle-timeout none
>> vpn-session-timeout none
>> pfs enable
>> ipsec-udp enable
>> split-tunnel-policy tunnelspecified
>> split-tunnel-network-list value RAVPN
>> default-domain value silverspringnet.com
>> ------------------------------------------------
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list