[VPN] Re: Pix doesn't respond after a while

Kindy Sylla kindy_s at yahoo.fr
Fri May 12 11:12:44 EDT 2006 

I enabled the logging and i can see incoming ICMP trame coming from the remote VPN on the console. this help a lot thanks! 
  However, i have probleme to configure the syslog server. I am getting this error :
  syslogd: restarted.
Debugging disabled, SIGUSR1 to turn on debugging.
 any idea???
  cheers,
   
  Kindy
  
Meidinger Chris <chris.meidinger at badenIT.de> a écrit :
  this is the logging conf on an ASA5520 cluster of mine:

logging enable
logging timestamp
logging standby
logging asdm-buffer-size 300
logging console critical
logging buffered informational
logging flash-bufferwrap
logging flash-minimum-free 6152
logging flash-maximum-allocation 10240

to get persistant logs, send them to a syslog server of ftp. At a conf prompt do help logging for the syntax.

Cheers,

Chris

> -----Original Message-----
> From: vpn-bounces+chris.meidinger=badenit.de at lists.shmoo.com 
> [mailto:vpn-bounces+chris.meidinger=badenit.de at lists.shmoo.com
> ] On Behalf Of Kindy Sylla
> Sent: Wednesday, May 10, 2006 5:25 PM
> To: Meidinger Chris; vpn at lists.shmoo.com
> Subject: [VPN] Re: Pix doesn't respond after a while
> 
> Can you please tell me how to get the information you are 
> requesting. Specially how to get the log from the pix..
> 
> Thanks! 
> Meidinger Chris a écrit :
> 
> 
> is a lot of data traversing the tunnel? maybe there is 
> a size limit on one side?
> 
> can you post a log from the pix during while ping is 
> not working?
> 
> also, can you get a log from the remote peer at that same time?
> 
> Chris
> 
> -----Original Message-----
> From: Kindy Sylla [mailto:kindy_s at yahoo.fr]
> Sent: Wed 10-May-06 12:14
> To: Meidinger Chris; vpn at lists.shmoo.com
> Subject: RE: [VPN] Pix doesn't respond after a while
> 
> Hi Chris,
> 
> Thanks for the suggestion.
> 
> I verify and the otherside has the same lifetime value.
> 
> Any other idea? Any help would be great!!!
> 
> Kindy
> 
> Meidinger Chris a écrit :
> Hi Kindy,
> 
> It sounds like the tunnel lifetimes are not the same.
> 
> You have 'isakmp policy 9 lifetime 86400' which means 
> that the tunnel will be torn down and renegotiated after 
> 86400 seconds. Does the other side have the same lifetime? If 
> not, the peer gateway won't be ready to reneg the tunnel and 
> will (probably) spit out a Bad SPI log message for each of 
> your side's negotiation attempts.
> 
> That's definately the first thing to check!
> 
> HTH,
> 
> Chris
> 
> -----Original Message-----
> From: 
> vpn-bounces+chris.meidinger=badenit.de at lists.shmoo.com on 
> behalf of Kindy Sylla
> Sent: Tue 09-May-06 10:55
> To: vpn at lists.shmoo.com
> Subject: [VPN] Pix doesn't respond after a while
> 
> Hi,
> 
> I am having a strange behaviour with a Cisco PIX 
> Firewall Version 6.3(5). The configuration is done , the VPN 
> are created between the 2 differents sites. The problème is 
> after 5 to 6 hours of running, the ping to the remote hosts 
> doesn't go through. When i try to ping a remote host, I see 
> the followings line in the debug icmp trace:
> 
> -request from inside:10.102.158.152 to 10.5.113.142 
> ID=512 seq=5376 length=40
> 44: ICMP echo-request: translating 
> inside:10.102.158.152 to outside:10.102.158.152
> 45: ICMP echo-request from inside:10.102.158.152 to 
> 10.5.113.142 ID=512 seq=5632 length=40
> 46: ICMP echo-request: translating 
> inside:10.102.158.152 to outside:10.102.158.152
> 
> And When remote host try to ping a local machine, i 
> can see the request coming without any reply.
> 
> To get the ping work , we have to reload it.
> 
> Do you have any idea?
> 
> Please find below my config file :
> PIX Version 6.3(5)
> interface ethernet0 auto
> interface ethernet1 auto
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password N7FecZuSHJlVZC2P encrypted
> passwd N7FecZuSHJlVZC2P encrypted
> hostname pixbenin
> domain-name boabenin.bj
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol http 80
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> names
> access-list acl_vpn permit icmp 10.102.156.0 
> 255.255.252.0 192.168.0.0 255.255.255.0
> access-list acl_vpn permit ip 10.102.156.0 
> 255.255.252.0 192.168.0.0 255.255.255.0
> access-list acl_blgo permit icmp 10.102.156.0 
> 255.255.252.0 10.5.113.128 255.255.255.224
> access-list acl_blgo permit ip 10.102.156.0 
> 255.255.252.0 10.5.113.128 255.255.255.224
> access-list acl_blgo permit icmp 10.102.156.0 
> 255.255.252.0 10.102.128.0 255.255.254.0
> access-list acl_blgo permit ip 10.102.156.0 
> 255.255.252.0 10.102.128.0 255.255.254.0
> access-list acl_blgo permit icmp 10.102.156.0 
> 255.255.252.0 10.102.130.0 255.255.255.128
> access-list acl_blgo permit ip 10.102.156.0 
> 255.255.252.0 10.102.130.0 255.255.255.128
> pager lines 24
> mtu outside 500
> mtu inside 1500
> ip address outside 81.91.235.147 255.255.255.192
> ip address inside 10.102.155.135 255.255.255.128
> ip audit info action alarm
> ip audit attack action alarm
> pdm history enable
> arp timeout 14400
> nat (inside) 0 10.102.156.0 255.255.252.0 0 0
> route outside 0.0.0.0 0.0.0.0 81.91.235.129 1
> route inside 10.102.156.0 255.255.252.0 10.102.155.129 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 
> rpc 0:10:00 h225 1:00:00
> ip audit attack action alarm
> pdm history enable
> arp timeout 14400
> nat (inside) 0 10.102.156.0 255.255.252.0 0 0
> route outside 0.0.0.0 0.0.0.0 81.91.235.129 1
> route inside 10.102.156.0 255.255.252.0 10.102.155.129 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 
> rpc 0:10:00 h225 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout sip-disconnect 0:02:00 sip-invite 0:03:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server TACACS+ max-failed-attempts 3
> aaa-server TACACS+ deadtime 10
> aaa-server RADIUS protocol radius
> aaa-server RADIUS max-failed-attempts 3
> aaa-server RADIUS deadtime 10
> aaa-server LOCAL protocol local
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> crypto ipsec transform-set strong esp-3des esp-sha-hmac
> crypto dynamic-map dynmap 30 set transform-set strong
> crypto map toX 20 ipsec-isakmp
> crypto map toX 20 match address acl_vpn
> crypto map toX 20 set peer 196.200.82.35
> crypto map toX 20 set transform-set strong
> crypto map toX 30 ipsec-isakmp
> crypto map toX 30 match address acl_blgo
> crypto ipsec transform-set strong esp-3des esp-sha-hmac
> crypto dynamic-map dynmap 30 set transform-set strong
> crypto map toX 20 ipsec-isakmp
> crypto map toX 20 match address acl_vpn
> crypto map toX 20 set peer 196.200.82.35
> crypto map toX 20 set transform-set strong
> crypto map toX 30 ipsec-isakmp
> crypto map toX 30 match address acl_blgo
> crypto map toX 30 set peer 194.78.211.130
> crypto map toX 30 set transform-set strong
> crypto map toX 9990 ipsec-isakmp dynamic dynmap
> crypto map toX interface outside
> isakmp enable outside
> isakmp key ******** address 196.200.82.35 netmask 
> 255.255.255.255
> isakmp key ******** address 194.78.211.130 netmask 
> 255.255.255.255
> isakmp identity address
> isakmp policy 9 authentication pre-share
> isakmp policy 9 encryption 3des
> isakmp policy 9 hash sha
> isakmp policy 9 group 1
> isakmp policy 9 lifetime 86400
> isakmp policy 19 authentication pre-share
> isakmp policy 19 encryption 3des
> isakmp policy 19 hash sha
> isakmp policy 19 group 2
> isakmp policy 19 lifetime 86400
> telnet timeout 5
> ssh 194.7.174.162 255.255.255.255 outside
> ssh 194.7.174.163 255.255.255.255 outside
> ssh 10.102.156.0 255.255.252.0 inside
> ssh 10.102.155.0 255.255.255.0 inside
> ssh timeout 5
> console timeout 0
> terminal width 80
> Cryptochecksum:7458b1b938134f7d52ed82d4e2003210
> 
> Regrds,
> 
> Kindy
> 
> 
> 
> ---------------------------------
> Faites de Yahoo! votre page d'accueil sur le web pour 
> retrouver directement vos services préférés : vérifiez vos 
> nouveaux mails, lancez vos recherches et suivez l'actualité 
> en temps réel. Cliquez ici.
> 
> 
> 
> 
> 
> ---------------------------------
> Faites de Yahoo! votre page d'accueil sur le web pour 
> retrouver directement vos services préférés : vérifiez vos 
> nouveaux mails, lancez vos recherches et suivez l'actualité 
> en temps réel. Cliquez ici.
> 
> 
> 
> 
> ________________________________
> 
> Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! 
> Mail 
> > com/mail/nouveaumail.html> et son interface révolutionnaire. 
> 
_______________________________________________
VPN mailing list
VPN at lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn


		
---------------------------------
 Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20060512/5b856a87/attachment.htm

More information about the VPN mailing list