[VPN] Re: Pix doesn't respond after a while

Meidinger Chris chris.meidinger at badenIT.de
Wed May 10 05:20:17 EDT 2006


Hi Kindy,

It sounds like the tunnel lifetimes are not the same. 

You have 'isakmp policy 9 lifetime 86400' which means that the tunnel will be torn down and renegotiated after 86400 seconds. Does the other side have the same lifetime? If not, the peer gateway won't be ready to reneg the tunnel and will (probably) spit out a Bad SPI log message for each of your side's negotiation attempts.

That's definately the first thing to check!

HTH,

Chris

-----Original Message-----
From: vpn-bounces+chris.meidinger=badenit.de at lists.shmoo.com on behalf of Kindy Sylla
Sent: Tue 09-May-06 10:55
To: vpn at lists.shmoo.com
Subject: [VPN] Pix doesn't respond after a while
 
Hi,
   
  I am having a strange behaviour with a Cisco PIX Firewall Version 6.3(5). The configuration is done , the VPN are created between the 2 differents sites. The problème is after 5 to 6 hours of running, the ping to the remote hosts doesn't go through. When i try to ping a remote host, I see the followings line in the debug icmp trace: 
   
  -request from inside:10.102.158.152 to 10.5.113.142 ID=512 seq=5376 length=40
44: ICMP echo-request: translating inside:10.102.158.152 to outside:10.102.158.152
45: ICMP echo-request from inside:10.102.158.152 to 10.5.113.142 ID=512 seq=5632 length=40
46: ICMP echo-request: translating inside:10.102.158.152 to outside:10.102.158.152

  And When remote host try to ping a local machine, i can see the request coming without any reply. 
   
  To get the ping work , we have to reload it. 
   
  Do you have any idea?  
   
  Please find below my config file :
  PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password N7FecZuSHJlVZC2P encrypted
passwd N7FecZuSHJlVZC2P encrypted
hostname pixbenin
domain-name boabenin.bj
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_vpn permit icmp 10.102.156.0 255.255.252.0 192.168.0.0 255.255.255.0 
access-list acl_vpn permit ip 10.102.156.0 255.255.252.0 192.168.0.0 255.255.255.0 
access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.5.113.128 255.255.255.224 
access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.5.113.128 255.255.255.224 
access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.102.128.0 255.255.254.0 
access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.102.128.0 255.255.254.0 
access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.102.130.0 255.255.255.128 
access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.102.130.0 255.255.255.128 
pager lines 24
mtu outside 500
mtu inside 1500
ip address outside 81.91.235.147 255.255.255.192
ip address inside 10.102.155.135 255.255.255.128
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 0 10.102.156.0 255.255.252.0 0 0
route outside 0.0.0.0 0.0.0.0 81.91.235.129 1
route inside 10.102.156.0 255.255.252.0 10.102.155.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 0 10.102.156.0 255.255.252.0 0 0
route outside 0.0.0.0 0.0.0.0 81.91.235.129 1
route inside 10.102.156.0 255.255.252.0 10.102.155.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-sha-hmac 
crypto dynamic-map dynmap 30 set transform-set strong
crypto map toX 20 ipsec-isakmp
crypto map toX 20 match address acl_vpn
crypto map toX 20 set peer 196.200.82.35
crypto map toX 20 set transform-set strong
crypto map toX 30 ipsec-isakmp
crypto map toX 30 match address acl_blgo
crypto ipsec transform-set strong esp-3des esp-sha-hmac 
crypto dynamic-map dynmap 30 set transform-set strong
crypto map toX 20 ipsec-isakmp
crypto map toX 20 match address acl_vpn
crypto map toX 20 set peer 196.200.82.35
crypto map toX 20 set transform-set strong
crypto map toX 30 ipsec-isakmp
crypto map toX 30 match address acl_blgo
crypto map toX 30 set peer 194.78.211.130
crypto map toX 30 set transform-set strong
crypto map toX 9990 ipsec-isakmp dynamic dynmap
crypto map toX interface outside
isakmp enable outside
isakmp key ******** address 196.200.82.35 netmask 255.255.255.255 
isakmp key ******** address 194.78.211.130 netmask 255.255.255.255 
isakmp identity address
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
isakmp policy 19 authentication pre-share
isakmp policy 19 encryption 3des
isakmp policy 19 hash sha
isakmp policy 19 group 2
isakmp policy 19 lifetime 86400
telnet timeout 5
ssh 194.7.174.162 255.255.255.255 outside
ssh 194.7.174.163 255.255.255.255 outside
ssh 10.102.156.0 255.255.252.0 inside
ssh 10.102.155.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:7458b1b938134f7d52ed82d4e2003210
  
Regrds,
   
  Kindy
   

		
---------------------------------
 Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel. Cliquez ici.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20060510/c3f49354/attachment.htm 


More information about the VPN mailing list