[c-nsp] Remote access VPN and Cisco PIX 515E connection problems

Adam Maloney adam at whee.org
Fri Mar 31 08:25:00 EST 2006 

Thank you Andrew.  The tech currently assigned to my case didn't mention 
that moving to 7.0.4.5 was an option - I think this sounds safer than 
moving to 7.1.  Will try it and see.

On Fri, 31 Mar 2006, Andrew Yourtchenko wrote:

> Adam,
>
> I've looked at CSCsd03664 - and there's a note from the development folks 
> that the crash itself is avoided by the fixes from CSCsc08188 - which is 
> available in 7.0.4.5. The root cause is still under investigation within 
> CSCsd61844 - however you should not have anymore the crash due to CSCsd03664 
> once you move to an image with the fix for CSCsc08188 - i.e. 7.0.4.5 and up.
>
> I've updated the release-note for CSCsd03664 to reflect these facts.
> If you still have any troubles after giving a shot to the image with the fix 
> for CSCsc08188 - feel free to open up a case with TAC.
>
> thanks,
> andrew
>
> On Thu, 30 Mar 2006, Adam Maloney wrote:
>
>> I had a similar issue when running 7.0(2).  I was getting users dropping
>> after having been logged in for awhile, but before I started
>> troubleshooting we also started having users not able to connect at all.
>> That one was easier to troubleshoot, and I found CSCsb76995 matched my
>> debug output and symptoms.  Upgraded to 7.0(4) and both issues went away.
>> Never did figure out why they were dropping mid-session though.
>> 
>> Before you upgrade, read below about my issue today.  It might help make
>> your decision about what version to jump to.
>> 
>> This morning after 35 issue-free days on 7.0(4), our PIX shat itself and
>> reloaded.  I checked show crashinfo and found something that matched the
>> description for CSCsd03664.  It's fixed in 7.1, but I checked out the open
>> issues in the latest 7.1 and wasn't comfortable with it.  Cisco is
>> advising me to wait until 7.2.  I'm waiting on more details about what
>> causes CSCsd03664 so I can make sure I can limp by with the current bug
>> (i.e., I'll get at least a few days at a time out of it) until 7.2 comes
>> out.
>> 
>> On Thu, 30 Mar 2006, Prabhu Gurumurthy wrote:
>> 
>>> We have a Cisco PIX 515E configured as a VPN server.
>>> 
>>> It runs 7.0(2), with 16 MB flash, 128MB RAM.
>>> Configuration for VPN is below:
>>> 
>>> Problems that I am facing:
>>> Lot of VPN users who are using Cisco VPN client say that their session 
>>> drops
>>> midway, when they have their session up and running. As you can see from 
>>> the
>>> group-policy, there is no timeout set either for idle or for session. I 
>>> asked
>>> my users about the network setup that they have at home and asked them 
>>> to
>>> enable logging on their Cisco VPN client and send me the logs, which 
>>> couple
>>> of them did. I have not attached any logs with this email, but I see 
>>> only 2
>>> things when the VPN session dies.
>>> 1. DEL_REASON_ADDRESS_CHANGE
>>> 2. DEL_REASON_PEER_NOT_RESPONDING
>>> 
>>> I know about DEL_REASON_ADDRESS_CHANGE, it means that either the, client
>>> address got changed somehow when it renewed it IP, or their wireless is
>>> flaky, I strongly suspect the latter.
>>> 
>>> When I googled DEL_REASON_PEER_NOT_RESPONDING, I got this link
>>> https://access.llnl.gov/vpn/vpn3000-moreinfo.html of the many, which 
>>> explains
>>> the error type. Other links also point to 1. as the possible scenario. 
>>> Cisco
>>> TAC confirms that there is no apparent problem with my configuration. I 
>>> have
>>> a separate network setup, where I have 2 laptops connecting over Linksys
>>> WAP11 Access point (remember it acts a just AP, it does not do DHCP or 
>>> DNS or
>>> routing or firewalling) to the VPN and the connection has been up for 
>>> more
>>> than 2 days as I type.
>>> 
>>> Most VPN users who are facing problems, are running MAC, not MBP just 
>>> MAC
>>> 10.3.X and above.
>>> 
>>> BTW, Lan 2 Lan tunnel works like a charm, with no problems whatsoever, 
>>> apart
>>> from some latency involved, but that understandable and it is variable 
>>> as
>>> well.
>>> 
>>> I have also asked my users to test the VPN connection using wired 
>>> connection,
>>> but some of them are reluctant to do so, their theory is that how come 
>>> it was
>>> working with our previous VPN before. We used to have Cisco 2621XM with 
>>> VPN
>>> module acting as a VPN server, before we got Cisco PIX 515E. I am kind 
>>> of
>>> stumbled at this point. FWIW, many users do  face this problem at all, 
>>> infact
>>> they say that this VPN is better than before.
>>> 
>>> Any suggestion, related links, solutions will be very much appreciated.
>>> 
>>> Thanks
>>> Prabhu
>>> 
>>> Here is the configuration for remote access VPN and Lan to Lan VPN:
>>> ----------------
>>> 
>>> crypto ipsec transform-set GW_SET esp-3des esp-md5-hmac
>>> crypto ipsec transform-set RAVPN_SET esp-aes-256 esp-sha-hmac
>>> crypto ipsec transform-set VPN29_SET esp-aes-256 esp-sha-hmac
>>> crypto ipsec security-association lifetime seconds 3600
>>> crypto ipsec df-bit clear-df dmz
>>> crypto ipsec df-bit clear-df outside
>>> crypto dynamic-map RA_MAP 1 set transform-set RAVPN_SET
>>> crypto dynamic-map RA_MAP 1 set security-association lifetime seconds 
>>> 1800
>>> crypto map VPN_MAP 1 match address SSN29
>>> crypto map VPN_MAP 1 set pfs group5
>>> crypto map VPN_MAP 1 set peer C501_2929
>>> crypto map VPN_MAP 1 set transform-set VPN29_SET
>>> crypto map VPN_MAP 1 set nat-t-disable
>>> crypto map VPN_MAP 2 match address GW_VPN
>>> crypto map VPN_MAP 2 set pfs group1
>>> crypto map VPN_MAP 2 set peer GW_014500FC94
>>> crypto map VPN_MAP 2 set transform-set GW_SET
>>> crypto map VPN_MAP 2 set nat-t-disable
>>> crypto map VPN_MAP 65535 ipsec-isakmp dynamic RA_MAP
>>> crypto map VPN_MAP interface outside
>>> isakmp identity auto
>>> isakmp enable outside
>>> isakmp policy 1 authentication pre-share
>>> isakmp policy 1 encryption aes-256
>>> isakmp policy 1 hash sha
>>> isakmp policy 1 group 2
>>> isakmp policy 1 lifetime 1800
>>> isakmp policy 2 authentication pre-share
>>> isakmp policy 2 encryption 3des
>>> isakmp policy 2 hash md5
>>> isakmp policy 2 group 2
>>> isakmp policy 2 lifetime 1800
>>> 
>>> ----------------------------------------------
>>> Corresponding tunnel group information:
>>> 
>>> tunnel-group X.X.X.X type ipsec-l2l
>>> tunnel-group X.X.X.X ipsec-attributes
>>> pre-shared-key *
>>> tunnel-group Y.Y.Y.Y type ipsec-l2l
>>> tunnel-group Y.Y.Y.Y ipsec-attributes
>>> pre-shared-key *
>>> tunnel-group SilverPix type ipsec-ra
>>> tunnel-group SilverPix general-attributes
>>> address-pool RAVPN_POOL
>>> authentication-server-group RADIUS LOCAL
>>> default-group-policy RAVPN_POLICY
>>> tunnel-group SilverPix ipsec-attributes
>>> pre-shared-key *
>>> 
>>> -----------------------------------------------
>>> Corresponding group policy information:
>>> 
>>> group-policy RAVPN_POLICY internal
>>> group-policy RAVPN_POLICY attributes
>>> banner value Welcome to Silver Spring Networks!
>>> wins-server value SILVER_NS1
>>> dns-server value SILVER_NS1 SILVER_NS2
>>> dhcp-network-scope 10.206.0.0
>>> vpn-idle-timeout none
>>> vpn-session-timeout none
>>> pfs enable
>>> ipsec-udp enable
>>> split-tunnel-policy tunnelspecified
>>> split-tunnel-network-list value RAVPN
>>> default-domain value silverspringnet.com
>>> ------------------------------------------------
>>> 
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> 
>

More information about the cisco-nsp mailing list