<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7226.0">
<TITLE>RE: [VPN] Pix doesn't respond after a while</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>Hi Kindy,<BR>
<BR>
It sounds like the tunnel lifetimes are not the same.<BR>
<BR>
You have 'isakmp policy 9 lifetime 86400' which means that the tunnel will be torn down and renegotiated after 86400 seconds. Does the other side have the same lifetime? If not, the peer gateway won't be ready to reneg the tunnel and will (probably) spit out a Bad SPI log message for each of your side's negotiation attempts.<BR>
<BR>
That's definately the first thing to check!<BR>
<BR>
HTH,<BR>
<BR>
Chris<BR>
<BR>
-----Original Message-----<BR>
From: vpn-bounces+chris.meidinger=badenit.de@lists.shmoo.com on behalf of Kindy Sylla<BR>
Sent: Tue 09-May-06 10:55<BR>
To: vpn@lists.shmoo.com<BR>
Subject: [VPN] Pix doesn't respond after a while<BR>
<BR>
Hi,<BR>
<BR>
I am having a strange behaviour with a Cisco PIX Firewall Version 6.3(5). The configuration is done , the VPN are created between the 2 differents sites. The problème is after 5 to 6 hours of running, the ping to the remote hosts doesn't go through. When i try to ping a remote host, I see the followings line in the debug icmp trace:<BR>
<BR>
-request from inside:10.102.158.152 to 10.5.113.142 ID=512 seq=5376 length=40<BR>
44: ICMP echo-request: translating inside:10.102.158.152 to outside:10.102.158.152<BR>
45: ICMP echo-request from inside:10.102.158.152 to 10.5.113.142 ID=512 seq=5632 length=40<BR>
46: ICMP echo-request: translating inside:10.102.158.152 to outside:10.102.158.152<BR>
<BR>
And When remote host try to ping a local machine, i can see the request coming without any reply.<BR>
<BR>
To get the ping work , we have to reload it.<BR>
<BR>
Do you have any idea? <BR>
<BR>
Please find below my config file :<BR>
PIX Version 6.3(5)<BR>
interface ethernet0 auto<BR>
interface ethernet1 auto<BR>
nameif ethernet0 outside security0<BR>
nameif ethernet1 inside security100<BR>
enable password N7FecZuSHJlVZC2P encrypted<BR>
passwd N7FecZuSHJlVZC2P encrypted<BR>
hostname pixbenin<BR>
domain-name boabenin.bj<BR>
fixup protocol dns maximum-length 512<BR>
fixup protocol ftp 21<BR>
fixup protocol h323 h225 1720<BR>
fixup protocol h323 ras 1718-1719<BR>
fixup protocol http 80<BR>
fixup protocol rsh 514<BR>
fixup protocol rtsp 554<BR>
fixup protocol sip 5060<BR>
fixup protocol sip udp 5060<BR>
fixup protocol skinny 2000<BR>
fixup protocol smtp 25<BR>
fixup protocol sqlnet 1521<BR>
fixup protocol http 80<BR>
fixup protocol rsh 514<BR>
fixup protocol rtsp 554<BR>
fixup protocol sip 5060<BR>
fixup protocol sip udp 5060<BR>
fixup protocol skinny 2000<BR>
fixup protocol smtp 25<BR>
fixup protocol sqlnet 1521<BR>
fixup protocol tftp 69<BR>
names<BR>
access-list acl_vpn permit icmp 10.102.156.0 255.255.252.0 192.168.0.0 255.255.255.0<BR>
access-list acl_vpn permit ip 10.102.156.0 255.255.252.0 192.168.0.0 255.255.255.0<BR>
access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.5.113.128 255.255.255.224<BR>
access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.5.113.128 255.255.255.224<BR>
access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.102.128.0 255.255.254.0<BR>
access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.102.128.0 255.255.254.0<BR>
access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.102.130.0 255.255.255.128<BR>
access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.102.130.0 255.255.255.128<BR>
pager lines 24<BR>
mtu outside 500<BR>
mtu inside 1500<BR>
ip address outside 81.91.235.147 255.255.255.192<BR>
ip address inside 10.102.155.135 255.255.255.128<BR>
ip audit info action alarm<BR>
ip audit attack action alarm<BR>
pdm history enable<BR>
arp timeout 14400<BR>
nat (inside) 0 10.102.156.0 255.255.252.0 0 0<BR>
route outside 0.0.0.0 0.0.0.0 81.91.235.129 1<BR>
route inside 10.102.156.0 255.255.252.0 10.102.155.129 1<BR>
timeout xlate 3:00:00<BR>
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00<BR>
ip audit attack action alarm<BR>
pdm history enable<BR>
arp timeout 14400<BR>
nat (inside) 0 10.102.156.0 255.255.252.0 0 0<BR>
route outside 0.0.0.0 0.0.0.0 81.91.235.129 1<BR>
route inside 10.102.156.0 255.255.252.0 10.102.155.129 1<BR>
timeout xlate 3:00:00<BR>
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00<BR>
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00<BR>
timeout sip-disconnect 0:02:00 sip-invite 0:03:00<BR>
timeout uauth 0:05:00 absolute<BR>
aaa-server TACACS+ protocol tacacs+<BR>
aaa-server TACACS+ max-failed-attempts 3<BR>
aaa-server TACACS+ deadtime 10<BR>
aaa-server RADIUS protocol radius<BR>
aaa-server RADIUS max-failed-attempts 3<BR>
aaa-server RADIUS deadtime 10<BR>
aaa-server LOCAL protocol local<BR>
no snmp-server location<BR>
no snmp-server contact<BR>
snmp-server community public<BR>
no snmp-server enable traps<BR>
floodguard enable<BR>
sysopt connection permit-ipsec<BR>
crypto ipsec transform-set strong esp-3des esp-sha-hmac<BR>
crypto dynamic-map dynmap 30 set transform-set strong<BR>
crypto map toX 20 ipsec-isakmp<BR>
crypto map toX 20 match address acl_vpn<BR>
crypto map toX 20 set peer 196.200.82.35<BR>
crypto map toX 20 set transform-set strong<BR>
crypto map toX 30 ipsec-isakmp<BR>
crypto map toX 30 match address acl_blgo<BR>
crypto ipsec transform-set strong esp-3des esp-sha-hmac<BR>
crypto dynamic-map dynmap 30 set transform-set strong<BR>
crypto map toX 20 ipsec-isakmp<BR>
crypto map toX 20 match address acl_vpn<BR>
crypto map toX 20 set peer 196.200.82.35<BR>
crypto map toX 20 set transform-set strong<BR>
crypto map toX 30 ipsec-isakmp<BR>
crypto map toX 30 match address acl_blgo<BR>
crypto map toX 30 set peer 194.78.211.130<BR>
crypto map toX 30 set transform-set strong<BR>
crypto map toX 9990 ipsec-isakmp dynamic dynmap<BR>
crypto map toX interface outside<BR>
isakmp enable outside<BR>
isakmp key ******** address 196.200.82.35 netmask 255.255.255.255<BR>
isakmp key ******** address 194.78.211.130 netmask 255.255.255.255<BR>
isakmp identity address<BR>
isakmp policy 9 authentication pre-share<BR>
isakmp policy 9 encryption 3des<BR>
isakmp policy 9 hash sha<BR>
isakmp policy 9 group 1<BR>
isakmp policy 9 lifetime 86400<BR>
isakmp policy 19 authentication pre-share<BR>
isakmp policy 19 encryption 3des<BR>
isakmp policy 19 hash sha<BR>
isakmp policy 19 group 2<BR>
isakmp policy 19 lifetime 86400<BR>
telnet timeout 5<BR>
ssh 194.7.174.162 255.255.255.255 outside<BR>
ssh 194.7.174.163 255.255.255.255 outside<BR>
ssh 10.102.156.0 255.255.252.0 inside<BR>
ssh 10.102.155.0 255.255.255.0 inside<BR>
ssh timeout 5<BR>
console timeout 0<BR>
terminal width 80<BR>
Cryptochecksum:7458b1b938134f7d52ed82d4e2003210<BR>
<BR>
Regrds,<BR>
<BR>
Kindy<BR>
<BR>
<BR>
<BR>
---------------------------------<BR>
Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel. Cliquez ici.<BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>