[VPN] Re: Pix doesn't respond after a while

Meidinger Chris chris.meidinger at badenIT.de
Thu May 11 03:38:34 EDT 2006 

this is the logging conf on an ASA5520 cluster of mine:

logging enable
logging timestamp
logging standby
logging asdm-buffer-size 300
logging console critical
logging buffered informational
logging flash-bufferwrap
logging flash-minimum-free 6152
logging flash-maximum-allocation 10240

to get persistant logs, send them to a syslog server of ftp. At a conf prompt do help logging for the syntax.

Cheers,

Chris

> -----Original Message-----
> From: vpn-bounces+chris.meidinger=badenit.de at lists.shmoo.com 
> [mailto:vpn-bounces+chris.meidinger=badenit.de at lists.shmoo.com
> ] On Behalf Of Kindy Sylla
> Sent: Wednesday, May 10, 2006 5:25 PM
> To: Meidinger Chris; vpn at lists.shmoo.com
> Subject: [VPN] Re: Pix doesn't respond after a while
> 
> Can you please tell me how to get the information you are 
> requesting. Specially how to get the log from the pix..
>  
> Thanks! 
> Meidinger Chris <chris.meidinger at badenIT.de> a écrit :
> 
> 
> 	is a lot of data traversing the tunnel? maybe there is 
> a size limit on one side?
> 	
> 	can you post a log from the pix during while ping is 
> not working?
> 	
> 	also, can you get a log from the remote peer at that same time?
> 	
> 	Chris
> 	
> 	-----Original Message-----
> 	From: Kindy Sylla [mailto:kindy_s at yahoo.fr]
> 	Sent: Wed 10-May-06 12:14
> 	To: Meidinger Chris; vpn at lists.shmoo.com
> 	Subject: RE: [VPN] Pix doesn't respond after a while
> 	
> 	Hi Chris,
> 	  
> 	  Thanks for the suggestion.
> 	  
> 	  I verify and the otherside has the same lifetime value.
> 	  
> 	  Any other idea? Any help would be great!!!
> 	  
> 	  Kindy
> 	
> 	Meidinger Chris <chris.meidinger at badenIT.de> a écrit :
> 	      Hi Kindy,
> 	
> 	It sounds like the tunnel lifetimes are not the same.
> 	
> 	You have 'isakmp policy 9 lifetime 86400' which means 
> that the tunnel will be torn down and renegotiated after 
> 86400 seconds. Does the other side have the same lifetime? If 
> not, the peer gateway won't be ready to reneg the tunnel and 
> will (probably) spit out a Bad SPI log message for each of 
> your side's negotiation attempts.
> 	
> 	That's definately the first thing to check!
> 	
> 	HTH,
> 	
> 	Chris
> 	
> 	-----Original Message-----
> 	From: 
> vpn-bounces+chris.meidinger=badenit.de at lists.shmoo.com on 
> behalf of Kindy Sylla
> 	Sent: Tue 09-May-06 10:55
> 	To: vpn at lists.shmoo.com
> 	Subject: [VPN] Pix doesn't respond after a while
> 	
> 	Hi,
> 	 
> 	  I am having a strange behaviour with a Cisco PIX 
> Firewall Version 6.3(5). The configuration is done , the VPN 
> are created between the 2 differents sites. The problème is 
> after 5 to 6 hours of running, the ping to the remote hosts 
> doesn't go through. When i try to ping a remote host, I see 
> the followings line in the debug icmp trace:
> 	 
> 	  -request from inside:10.102.158.152 to 10.5.113.142 
> ID=512 seq=5376 length=40
> 	44: ICMP echo-request: translating 
> inside:10.102.158.152 to outside:10.102.158.152
> 	45: ICMP echo-request from inside:10.102.158.152 to 
> 10.5.113.142 ID=512 seq=5632 length=40
> 	46: ICMP echo-request: translating 
> inside:10.102.158.152 to outside:10.102.158.152
> 	
> 	  And When remote host try to ping a local machine, i 
> can see the request coming without any reply.
> 	 
> 	  To get the ping work , we have to reload it.
> 	 
> 	  Do you have any idea?
> 	 
> 	  Please find below my config file :
> 	  PIX Version 6.3(5)
> 	interface ethernet0 auto
> 	interface ethernet1 auto
> 	nameif ethernet0 outside security0
> 	nameif ethernet1 inside security100
> 	enable password N7FecZuSHJlVZC2P encrypted
> 	passwd N7FecZuSHJlVZC2P encrypted
> 	hostname pixbenin
> 	domain-name boabenin.bj
> 	fixup protocol dns maximum-length 512
> 	fixup protocol ftp 21
> 	fixup protocol h323 h225 1720
> 	fixup protocol h323 ras 1718-1719
> 	fixup protocol http 80
> 	fixup protocol rsh 514
> 	fixup protocol rtsp 554
> 	fixup protocol sip 5060
> 	fixup protocol sip udp 5060
> 	fixup protocol skinny 2000
> 	fixup protocol smtp 25
> 	fixup protocol sqlnet 1521
> 	fixup protocol http 80
> 	fixup protocol rsh 514
> 	fixup protocol rtsp 554
> 	fixup protocol sip 5060
> 	fixup protocol sip udp 5060
> 	fixup protocol skinny 2000
> 	fixup protocol smtp 25
> 	fixup protocol sqlnet 1521
> 	fixup protocol tftp 69
> 	names
> 	access-list acl_vpn permit icmp 10.102.156.0 
> 255.255.252.0 192.168.0.0 255.255.255.0
> 	access-list acl_vpn permit ip 10.102.156.0 
> 255.255.252.0 192.168.0.0 255.255.255.0
> 	access-list acl_blgo permit icmp 10.102.156.0 
> 255.255.252.0 10.5.113.128 255.255.255.224
> 	access-list acl_blgo permit ip 10.102.156.0 
> 255.255.252.0 10.5.113.128 255.255.255.224
> 	access-list acl_blgo permit icmp 10.102.156.0 
> 255.255.252.0 10.102.128.0 255.255.254.0
> 	access-list acl_blgo permit ip 10.102.156.0 
> 255.255.252.0 10.102.128.0 255.255.254.0
> 	access-list acl_blgo permit icmp 10.102.156.0 
> 255.255.252.0 10.102.130.0 255.255.255.128
> 	access-list acl_blgo permit ip 10.102.156.0 
> 255.255.252.0 10.102.130.0 255.255.255.128
> 	pager lines 24
> 	mtu outside 500
> 	mtu inside 1500
> 	ip address outside 81.91.235.147 255.255.255.192
> 	ip address inside 10.102.155.135 255.255.255.128
> 	ip audit info action alarm
> 	ip audit attack action alarm
> 	pdm history enable
> 	arp timeout 14400
> 	nat (inside) 0 10.102.156.0 255.255.252.0 0 0
> 	route outside 0.0.0.0 0.0.0.0 81.91.235.129 1
> 	route inside 10.102.156.0 255.255.252.0 10.102.155.129 1
> 	timeout xlate 3:00:00
> 	timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 
> rpc 0:10:00 h225 1:00:00
> 	ip audit attack action alarm
> 	pdm history enable
> 	arp timeout 14400
> 	nat (inside) 0 10.102.156.0 255.255.252.0 0 0
> 	route outside 0.0.0.0 0.0.0.0 81.91.235.129 1
> 	route inside 10.102.156.0 255.255.252.0 10.102.155.129 1
> 	timeout xlate 3:00:00
> 	timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 
> rpc 0:10:00 h225 1:00:00
> 	timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> 	timeout sip-disconnect 0:02:00 sip-invite 0:03:00
> 	timeout uauth 0:05:00 absolute
> 	aaa-server TACACS+ protocol tacacs+
> 	aaa-server TACACS+ max-failed-attempts 3
> 	aaa-server TACACS+ deadtime 10
> 	aaa-server RADIUS protocol radius
> 	aaa-server RADIUS max-failed-attempts 3
> 	aaa-server RADIUS deadtime 10
> 	aaa-server LOCAL protocol local
> 	no snmp-server location
> 	no snmp-server contact
> 	snmp-server community public
> 	no snmp-server enable traps
> 	floodguard enable
> 	sysopt connection permit-ipsec
> 	crypto ipsec transform-set strong esp-3des esp-sha-hmac
> 	crypto dynamic-map dynmap 30 set transform-set strong
> 	crypto map toX 20 ipsec-isakmp
> 	crypto map toX 20 match address acl_vpn
> 	crypto map toX 20 set peer 196.200.82.35
> 	crypto map toX 20 set transform-set strong
> 	crypto map toX 30 ipsec-isakmp
> 	crypto map toX 30 match address acl_blgo
> 	crypto ipsec transform-set strong esp-3des esp-sha-hmac
> 	crypto dynamic-map dynmap 30 set transform-set strong
> 	crypto map toX 20 ipsec-isakmp
> 	crypto map toX 20 match address acl_vpn
> 	crypto map toX 20 set peer 196.200.82.35
> 	crypto map toX 20 set transform-set strong
> 	crypto map toX 30 ipsec-isakmp
> 	crypto map toX 30 match address acl_blgo
> 	crypto map toX 30 set peer 194.78.211.130
> 	crypto map toX 30 set transform-set strong
> 	crypto map toX 9990 ipsec-isakmp dynamic dynmap
> 	crypto map toX interface outside
> 	isakmp enable outside
> 	isakmp key ******** address 196.200.82.35 netmask 
> 255.255.255.255
> 	isakmp key ******** address 194.78.211.130 netmask 
> 255.255.255.255
> 	isakmp identity address
> 	isakmp policy 9 authentication pre-share
> 	isakmp policy 9 encryption 3des
> 	isakmp policy 9 hash sha
> 	isakmp policy 9 group 1
> 	isakmp policy 9 lifetime 86400
> 	isakmp policy 19 authentication pre-share
> 	isakmp policy 19 encryption 3des
> 	isakmp policy 19 hash sha
> 	isakmp policy 19 group 2
> 	isakmp policy 19 lifetime 86400
> 	telnet timeout 5
> 	ssh 194.7.174.162 255.255.255.255 outside
> 	ssh 194.7.174.163 255.255.255.255 outside
> 	ssh 10.102.156.0 255.255.252.0 inside
> 	ssh 10.102.155.0 255.255.255.0 inside
> 	ssh timeout 5
> 	console timeout 0
> 	terminal width 80
> 	Cryptochecksum:7458b1b938134f7d52ed82d4e2003210
> 	
> 	Regrds,
> 	 
> 	  Kindy
> 	 
> 	
> 	              
> 	---------------------------------
> 	 Faites de Yahoo! votre page d'accueil sur le web pour 
> retrouver directement vos services préférés : vérifiez vos 
> nouveaux mails, lancez vos recherches et suivez l'actualité 
> en temps réel. Cliquez ici.
> 	
> 	
> 	
> 	
> 	               
> 	---------------------------------
> 	 Faites de Yahoo! votre page d'accueil sur le web pour 
> retrouver directement vos services préférés : vérifiez vos 
> nouveaux mails, lancez vos recherches et suivez l'actualité 
> en temps réel. Cliquez ici.
> 	
> 	
> 
> 
> ________________________________
> 
> Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! 
> Mail 
> <http://fr.rd.yahoo.com/evt=40577/*http://fr.promotions.yahoo.
> com/mail/nouveaumail.html>  et son interface révolutionnaire. 
>

More information about the VPN mailing list