[c-nsp] Cisco PIX VPN address pool

Scott Klassen klas9574 at msn.com
Mon Jul 30 13:25:06 EDT 2007 

Small error in my original post, it's a Pix 506 not 605.  :)  

I was poking around a bit and it seems as though addresses assigned through
ip local pool don't appear to run through the dhcpd service.  When I do a
show dhcpd binding, it doesn't return any clients.  When I do a show ip
local pool, I get a return of the available pool addresses and in use
addresses (no details such as MAC address of the client available through
this command as far as I can tell).  For whatever reason, even though
several of the lower numbered addresses are showing as available, it's not
handing them out so they are "stuck".

Scott Klassen

-----Original Message-----
From: Masood Ahmad Shah [mailto:masood at nexlinx.net.pk] 
Sent: Monday, July 30, 2007 7:02 AM
To: 'Scott Klassen'; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Cisco PIX VPN address pool

You may need to play with dhcpd lease things...

dhcpd lease 3600


Regards,
Masood Ahmad Shah
BLOG: http://www.weblogsl.com.pk/jahil/


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Klassen
Sent: Saturday, July 28, 2007 12:58 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cisco PIX VPN address pool

Pix 605.  Two questions:

  I have a small reserved set of addresses set in the PIX for a few people
who use IPSEC VPN.  At least one of the users keeps disconnecting.  I
believe what it happening is that the user is just closing the VPN client
software and not disconnecting first.  The big issue with this is that even
though the sessions appear to close properly, the IP address is not returned
as free to the pool.  This is keeping other users from being able to VPN in
because the pool has been exhausted.  The only way that I've figured out to
free these addresses is to do a reload on the PIX.  Is there some command I
can use to expire the lease on an address immediately?

Example:

Pool is set as 10.10.10.64-10.10.10.70

Four clients login, getting assigned .64, .65, .66, and .67 in order of
connection.  .65 connection is lost in whatever weird way that's happening.
The client reconnects, but is assigned .68.  He loses conn again,
reconnects, and is assigned .69.  Two different clients now attempt to
login, the first is assigned .70 and the second cannot get an address
because .65 and .68 are "locked" and not returned to the pool for use.  

Also, which of the many timeouts control the lease time for a VPN pool?  I
have the following in the config that might be relevant:

Arp timeout 14400
Timeout xlate 1:00:00
Timeout conn 1:00:00
Half-closed 0:10:00
Isakmp policy lifetime 28800
Vpngroup idle-time 2400
Vpngroup max-time 14400
Dhcpd lease 3600
Dhcpd ping_timeout 750

Thanks,

Scott Klassen



_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list