[c-nsp] Cisco PIX VPN address pool
Scott Klassen
klas9574 at msn.com
Fri Jul 27 15:58:27 EDT 2007
Pix 605. Two questions:
I have a small reserved set of addresses set in the PIX for a few people
who use IPSEC VPN. At least one of the users keeps disconnecting. I
believe what it happening is that the user is just closing the VPN client
software and not disconnecting first. The big issue with this is that even
though the sessions appear to close properly, the IP address is not returned
as free to the pool. This is keeping other users from being able to VPN in
because the pool has been exhausted. The only way that I've figured out to
free these addresses is to do a reload on the PIX. Is there some command I
can use to expire the lease on an address immediately?
Example:
Pool is set as 10.10.10.64-10.10.10.70
Four clients login, getting assigned .64, .65, .66, and .67 in order of
connection. .65 connection is lost in whatever weird way that's happening.
The client reconnects, but is assigned .68. He loses conn again,
reconnects, and is assigned .69. Two different clients now attempt to
login, the first is assigned .70 and the second cannot get an address
because .65 and .68 are "locked" and not returned to the pool for use.
Also, which of the many timeouts control the lease time for a VPN pool? I
have the following in the config that might be relevant:
Arp timeout 14400
Timeout xlate 1:00:00
Timeout conn 1:00:00
Half-closed 0:10:00
Isakmp policy lifetime 28800
Vpngroup idle-time 2400
Vpngroup max-time 14400
Dhcpd lease 3600
Dhcpd ping_timeout 750
Thanks,
Scott Klassen
More information about the cisco-nsp
mailing list