[VPN] Re: Pix doesn't respond after a while
Meidinger Chris
chris.meidinger at badenIT.de
Thu May 11 03:38:34 EDT 2006
this is the logging conf on an ASA5520 cluster of mine:
logging enable
logging timestamp
logging standby
logging asdm-buffer-size 300
logging console critical
logging buffered informational
logging flash-bufferwrap
logging flash-minimum-free 6152
logging flash-maximum-allocation 10240
to get persistant logs, send them to a syslog server of ftp. At a conf prompt do help logging for the syntax.
Cheers,
Chris
> -----Original Message-----
> From: vpn-bounces+chris.meidinger=badenit.de at lists.shmoo.com
> [mailto:vpn-bounces+chris.meidinger=badenit.de at lists.shmoo.com
> ] On Behalf Of Kindy Sylla
> Sent: Wednesday, May 10, 2006 5:25 PM
> To: Meidinger Chris; vpn at lists.shmoo.com
> Subject: [VPN] Re: Pix doesn't respond after a while
>
> Can you please tell me how to get the information you are
> requesting. Specially how to get the log from the pix..
>
> Thanks!
> Meidinger Chris <chris.meidinger at badenIT.de> a écrit :
>
>
> is a lot of data traversing the tunnel? maybe there is
> a size limit on one side?
>
> can you post a log from the pix during while ping is
> not working?
>
> also, can you get a log from the remote peer at that same time?
>
> Chris
>
> -----Original Message-----
> From: Kindy Sylla [mailto:kindy_s at yahoo.fr]
> Sent: Wed 10-May-06 12:14
> To: Meidinger Chris; vpn at lists.shmoo.com
> Subject: RE: [VPN] Pix doesn't respond after a while
>
> Hi Chris,
>
> Thanks for the suggestion.
>
> I verify and the otherside has the same lifetime value.
>
> Any other idea? Any help would be great!!!
>
> Kindy
>
> Meidinger Chris <chris.meidinger at badenIT.de> a écrit :
> Hi Kindy,
>
> It sounds like the tunnel lifetimes are not the same.
>
> You have 'isakmp policy 9 lifetime 86400' which means
> that the tunnel will be torn down and renegotiated after
> 86400 seconds. Does the other side have the same lifetime? If
> not, the peer gateway won't be ready to reneg the tunnel and
> will (probably) spit out a Bad SPI log message for each of
> your side's negotiation attempts.
>
> That's definately the first thing to check!
>
> HTH,
>
> Chris
>
> -----Original Message-----
> From:
> vpn-bounces+chris.meidinger=badenit.de at lists.shmoo.com on
> behalf of Kindy Sylla
> Sent: Tue 09-May-06 10:55
> To: vpn at lists.shmoo.com
> Subject: [VPN] Pix doesn't respond after a while
>
> Hi,
>
> I am having a strange behaviour with a Cisco PIX
> Firewall Version 6.3(5). The configuration is done , the VPN
> are created between the 2 differents sites. The problème is
> after 5 to 6 hours of running, the ping to the remote hosts
> doesn't go through. When i try to ping a remote host, I see
> the followings line in the debug icmp trace:
>
> -request from inside:10.102.158.152 to 10.5.113.142
> ID=512 seq=5376 length=40
> 44: ICMP echo-request: translating
> inside:10.102.158.152 to outside:10.102.158.152
> 45: ICMP echo-request from inside:10.102.158.152 to
> 10.5.113.142 ID=512 seq=5632 length=40
> 46: ICMP echo-request: translating
> inside:10.102.158.152 to outside:10.102.158.152
>
> And When remote host try to ping a local machine, i
> can see the request coming without any reply.
>
> To get the ping work , we have to reload it.
>
> Do you have any idea?
>
> Please find below my config file :
> PIX Version 6.3(5)
> interface ethernet0 auto
> interface ethernet1 auto
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password N7FecZuSHJlVZC2P encrypted
> passwd N7FecZuSHJlVZC2P encrypted
> hostname pixbenin
> domain-name boabenin.bj
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol http 80
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> names
> access-list acl_vpn permit icmp 10.102.156.0
> 255.255.252.0 192.168.0.0 255.255.255.0
> access-list acl_vpn permit ip 10.102.156.0
> 255.255.252.0 192.168.0.0 255.255.255.0
> access-list acl_blgo permit icmp 10.102.156.0
> 255.255.252.0 10.5.113.128 255.255.255.224
> access-list acl_blgo permit ip 10.102.156.0
> 255.255.252.0 10.5.113.128 255.255.255.224
> access-list acl_blgo permit icmp 10.102.156.0
> 255.255.252.0 10.102.128.0 255.255.254.0
> access-list acl_blgo permit ip 10.102.156.0
> 255.255.252.0 10.102.128.0 255.255.254.0
> access-list acl_blgo permit icmp 10.102.156.0
> 255.255.252.0 10.102.130.0 255.255.255.128
> access-list acl_blgo permit ip 10.102.156.0
> 255.255.252.0 10.102.130.0 255.255.255.128
> pager lines 24
> mtu outside 500
> mtu inside 1500
> ip address outside 81.91.235.147 255.255.255.192
> ip address inside 10.102.155.135 255.255.255.128
> ip audit info action alarm
> ip audit attack action alarm
> pdm history enable
> arp timeout 14400
> nat (inside) 0 10.102.156.0 255.255.252.0 0 0
> route outside 0.0.0.0 0.0.0.0 81.91.235.129 1
> route inside 10.102.156.0 255.255.252.0 10.102.155.129 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
> rpc 0:10:00 h225 1:00:00
> ip audit attack action alarm
> pdm history enable
> arp timeout 14400
> nat (inside) 0 10.102.156.0 255.255.252.0 0 0
> route outside 0.0.0.0 0.0.0.0 81.91.235.129 1
> route inside 10.102.156.0 255.255.252.0 10.102.155.129 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
> rpc 0:10:00 h225 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout sip-disconnect 0:02:00 sip-invite 0:03:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server TACACS+ max-failed-attempts 3
> aaa-server TACACS+ deadtime 10
> aaa-server RADIUS protocol radius
> aaa-server RADIUS max-failed-attempts 3
> aaa-server RADIUS deadtime 10
> aaa-server LOCAL protocol local
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> crypto ipsec transform-set strong esp-3des esp-sha-hmac
> crypto dynamic-map dynmap 30 set transform-set strong
> crypto map toX 20 ipsec-isakmp
> crypto map toX 20 match address acl_vpn
> crypto map toX 20 set peer 196.200.82.35
> crypto map toX 20 set transform-set strong
> crypto map toX 30 ipsec-isakmp
> crypto map toX 30 match address acl_blgo
> crypto ipsec transform-set strong esp-3des esp-sha-hmac
> crypto dynamic-map dynmap 30 set transform-set strong
> crypto map toX 20 ipsec-isakmp
> crypto map toX 20 match address acl_vpn
> crypto map toX 20 set peer 196.200.82.35
> crypto map toX 20 set transform-set strong
> crypto map toX 30 ipsec-isakmp
> crypto map toX 30 match address acl_blgo
> crypto map toX 30 set peer 194.78.211.130
> crypto map toX 30 set transform-set strong
> crypto map toX 9990 ipsec-isakmp dynamic dynmap
> crypto map toX interface outside
> isakmp enable outside
> isakmp key ******** address 196.200.82.35 netmask
> 255.255.255.255
> isakmp key ******** address 194.78.211.130 netmask
> 255.255.255.255
> isakmp identity address
> isakmp policy 9 authentication pre-share
> isakmp policy 9 encryption 3des
> isakmp policy 9 hash sha
> isakmp policy 9 group 1
> isakmp policy 9 lifetime 86400
> isakmp policy 19 authentication pre-share
> isakmp policy 19 encryption 3des
> isakmp policy 19 hash sha
> isakmp policy 19 group 2
> isakmp policy 19 lifetime 86400
> telnet timeout 5
> ssh 194.7.174.162 255.255.255.255 outside
> ssh 194.7.174.163 255.255.255.255 outside
> ssh 10.102.156.0 255.255.252.0 inside
> ssh 10.102.155.0 255.255.255.0 inside
> ssh timeout 5
> console timeout 0
> terminal width 80
> Cryptochecksum:7458b1b938134f7d52ed82d4e2003210
>
> Regrds,
>
> Kindy
>
>
>
> ---------------------------------
> Faites de Yahoo! votre page d'accueil sur le web pour
> retrouver directement vos services préférés : vérifiez vos
> nouveaux mails, lancez vos recherches et suivez l'actualité
> en temps réel. Cliquez ici.
>
>
>
>
>
> ---------------------------------
> Faites de Yahoo! votre page d'accueil sur le web pour
> retrouver directement vos services préférés : vérifiez vos
> nouveaux mails, lancez vos recherches et suivez l'actualité
> en temps réel. Cliquez ici.
>
>
>
>
> ________________________________
>
> Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo!
> Mail
> <http://fr.rd.yahoo.com/evt=40577/*http://fr.promotions.yahoo.
> com/mail/nouveaumail.html> et son interface révolutionnaire.
>
More information about the VPN
mailing list