<div><BR>I enabled the logging and i can see incoming ICMP trame coming from the remote VPN on the console. this help a lot thanks! </div> <div>However, i have probleme to configure the syslog server. I am getting this error :</div> <div>syslogd: restarted.<BR>Debugging disabled, SIGUSR1 to turn on debugging.<BR> any idea???</div> <div>cheers,</div> <div> </div> <div>Kindy</div> <div><BR><B><I>Meidinger Chris <chris.meidinger@badenIT.de></I></B> a écrit :</div> <BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">this is the logging conf on an ASA5520 cluster of mine:<BR><BR>logging enable<BR>logging timestamp<BR>logging standby<BR>logging asdm-buffer-size 300<BR>logging console critical<BR>logging buffered informational<BR>logging flash-bufferwrap<BR>logging flash-minimum-free 6152<BR>logging flash-maximum-allocation 10240<BR><BR>to get persistant logs, send them to a syslog server of ftp. At a
conf prompt do help logging for the syntax.<BR><BR>Cheers,<BR><BR>Chris<BR><BR>> -----Original Message-----<BR>> From: vpn-bounces+chris.meidinger=badenit.de@lists.shmoo.com <BR>> [mailto:vpn-bounces+chris.meidinger=badenit.de@lists.shmoo.com<BR>> ] On Behalf Of Kindy Sylla<BR>> Sent: Wednesday, May 10, 2006 5:25 PM<BR>> To: Meidinger Chris; vpn@lists.shmoo.com<BR>> Subject: [VPN] Re: Pix doesn't respond after a while<BR>> <BR>> Can you please tell me how to get the information you are <BR>> requesting. Specially how to get the log from the pix..<BR>> <BR>> Thanks! <BR>> Meidinger Chris <CHRIS.MEIDINGER@BADENIT.DE>a écrit :<BR>> <BR>> <BR>> is a lot of data traversing the tunnel? maybe there is <BR>> a size limit on one side?<BR>> <BR>> can you post a log from the pix during while ping is <BR>> not working?<BR>> <BR>> also, can you get a log from the remote peer at that same time?<BR>> <BR>>
Chris<BR>> <BR>> -----Original Message-----<BR>> From: Kindy Sylla [mailto:kindy_s@yahoo.fr]<BR>> Sent: Wed 10-May-06 12:14<BR>> To: Meidinger Chris; vpn@lists.shmoo.com<BR>> Subject: RE: [VPN] Pix doesn't respond after a while<BR>> <BR>> Hi Chris,<BR>> <BR>> Thanks for the suggestion.<BR>> <BR>> I verify and the otherside has the same lifetime value.<BR>> <BR>> Any other idea? Any help would be great!!!<BR>> <BR>> Kindy<BR>> <BR>> Meidinger Chris <CHRIS.MEIDINGER@BADENIT.DE>a écrit :<BR>> Hi Kindy,<BR>> <BR>> It sounds like the tunnel lifetimes are not the same.<BR>> <BR>> You have 'isakmp policy 9 lifetime 86400' which means <BR>> that the tunnel will be torn down and renegotiated after <BR>> 86400 seconds. Does the other side have the same lifetime? If <BR>> not, the peer gateway won't be ready to reneg the tunnel and <BR>> will (probably) spit out a Bad SPI log message for each of <BR>>
your side's negotiation attempts.<BR>> <BR>> That's definately the first thing to check!<BR>> <BR>> HTH,<BR>> <BR>> Chris<BR>> <BR>> -----Original Message-----<BR>> From: <BR>> vpn-bounces+chris.meidinger=badenit.de@lists.shmoo.com on <BR>> behalf of Kindy Sylla<BR>> Sent: Tue 09-May-06 10:55<BR>> To: vpn@lists.shmoo.com<BR>> Subject: [VPN] Pix doesn't respond after a while<BR>> <BR>> Hi,<BR>> <BR>> I am having a strange behaviour with a Cisco PIX <BR>> Firewall Version 6.3(5). The configuration is done , the VPN <BR>> are created between the 2 differents sites. The problème is <BR>> after 5 to 6 hours of running, the ping to the remote hosts <BR>> doesn't go through. When i try to ping a remote host, I see <BR>> the followings line in the debug icmp trace:<BR>> <BR>> -request from inside:10.102.158.152 to 10.5.113.142 <BR>> ID=512 seq=5376 length=40<BR>> 44: ICMP echo-request: translating
<BR>> inside:10.102.158.152 to outside:10.102.158.152<BR>> 45: ICMP echo-request from inside:10.102.158.152 to <BR>> 10.5.113.142 ID=512 seq=5632 length=40<BR>> 46: ICMP echo-request: translating <BR>> inside:10.102.158.152 to outside:10.102.158.152<BR>> <BR>> And When remote host try to ping a local machine, i <BR>> can see the request coming without any reply.<BR>> <BR>> To get the ping work , we have to reload it.<BR>> <BR>> Do you have any idea?<BR>> <BR>> Please find below my config file :<BR>> PIX Version 6.3(5)<BR>> interface ethernet0 auto<BR>> interface ethernet1 auto<BR>> nameif ethernet0 outside security0<BR>> nameif ethernet1 inside security100<BR>> enable password N7FecZuSHJlVZC2P encrypted<BR>> passwd N7FecZuSHJlVZC2P encrypted<BR>> hostname pixbenin<BR>> domain-name boabenin.bj<BR>> fixup protocol dns maximum-length 512<BR>> fixup protocol ftp 21<BR>> fixup protocol h323 h225
1720<BR>> fixup protocol h323 ras 1718-1719<BR>> fixup protocol http 80<BR>> fixup protocol rsh 514<BR>> fixup protocol rtsp 554<BR>> fixup protocol sip 5060<BR>> fixup protocol sip udp 5060<BR>> fixup protocol skinny 2000<BR>> fixup protocol smtp 25<BR>> fixup protocol sqlnet 1521<BR>> fixup protocol http 80<BR>> fixup protocol rsh 514<BR>> fixup protocol rtsp 554<BR>> fixup protocol sip 5060<BR>> fixup protocol sip udp 5060<BR>> fixup protocol skinny 2000<BR>> fixup protocol smtp 25<BR>> fixup protocol sqlnet 1521<BR>> fixup protocol tftp 69<BR>> names<BR>> access-list acl_vpn permit icmp 10.102.156.0 <BR>> 255.255.252.0 192.168.0.0 255.255.255.0<BR>> access-list acl_vpn permit ip 10.102.156.0 <BR>> 255.255.252.0 192.168.0.0 255.255.255.0<BR>> access-list acl_blgo permit icmp 10.102.156.0 <BR>> 255.255.252.0 10.5.113.128 255.255.255.224<BR>> access-list acl_blgo permit ip 10.102.156.0 <BR>>
255.255.252.0 10.5.113.128 255.255.255.224<BR>> access-list acl_blgo permit icmp 10.102.156.0 <BR>> 255.255.252.0 10.102.128.0 255.255.254.0<BR>> access-list acl_blgo permit ip 10.102.156.0 <BR>> 255.255.252.0 10.102.128.0 255.255.254.0<BR>> access-list acl_blgo permit icmp 10.102.156.0 <BR>> 255.255.252.0 10.102.130.0 255.255.255.128<BR>> access-list acl_blgo permit ip 10.102.156.0 <BR>> 255.255.252.0 10.102.130.0 255.255.255.128<BR>> pager lines 24<BR>> mtu outside 500<BR>> mtu inside 1500<BR>> ip address outside 81.91.235.147 255.255.255.192<BR>> ip address inside 10.102.155.135 255.255.255.128<BR>> ip audit info action alarm<BR>> ip audit attack action alarm<BR>> pdm history enable<BR>> arp timeout 14400<BR>> nat (inside) 0 10.102.156.0 255.255.252.0 0 0<BR>> route outside 0.0.0.0 0.0.0.0 81.91.235.129 1<BR>> route inside 10.102.156.0 255.255.252.0 10.102.155.129 1<BR>> timeout xlate 3:00:00<BR>> timeout
conn 1:00:00 half-closed 0:10:00 udp 0:02:00 <BR>> rpc 0:10:00 h225 1:00:00<BR>> ip audit attack action alarm<BR>> pdm history enable<BR>> arp timeout 14400<BR>> nat (inside) 0 10.102.156.0 255.255.252.0 0 0<BR>> route outside 0.0.0.0 0.0.0.0 81.91.235.129 1<BR>> route inside 10.102.156.0 255.255.252.0 10.102.155.129 1<BR>> timeout xlate 3:00:00<BR>> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 <BR>> rpc 0:10:00 h225 1:00:00<BR>> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00<BR>> timeout sip-disconnect 0:02:00 sip-invite 0:03:00<BR>> timeout uauth 0:05:00 absolute<BR>> aaa-server TACACS+ protocol tacacs+<BR>> aaa-server TACACS+ max-failed-attempts 3<BR>> aaa-server TACACS+ deadtime 10<BR>> aaa-server RADIUS protocol radius<BR>> aaa-server RADIUS max-failed-attempts 3<BR>> aaa-server RADIUS deadtime 10<BR>> aaa-server LOCAL protocol local<BR>> no snmp-server location<BR>> no
snmp-server contact<BR>> snmp-server community public<BR>> no snmp-server enable traps<BR>> floodguard enable<BR>> sysopt connection permit-ipsec<BR>> crypto ipsec transform-set strong esp-3des esp-sha-hmac<BR>> crypto dynamic-map dynmap 30 set transform-set strong<BR>> crypto map toX 20 ipsec-isakmp<BR>> crypto map toX 20 match address acl_vpn<BR>> crypto map toX 20 set peer 196.200.82.35<BR>> crypto map toX 20 set transform-set strong<BR>> crypto map toX 30 ipsec-isakmp<BR>> crypto map toX 30 match address acl_blgo<BR>> crypto ipsec transform-set strong esp-3des esp-sha-hmac<BR>> crypto dynamic-map dynmap 30 set transform-set strong<BR>> crypto map toX 20 ipsec-isakmp<BR>> crypto map toX 20 match address acl_vpn<BR>> crypto map toX 20 set peer 196.200.82.35<BR>> crypto map toX 20 set transform-set strong<BR>> crypto map toX 30 ipsec-isakmp<BR>> crypto map toX 30 match address acl_blgo<BR>> crypto map toX 30
set peer 194.78.211.130<BR>> crypto map toX 30 set transform-set strong<BR>> crypto map toX 9990 ipsec-isakmp dynamic dynmap<BR>> crypto map toX interface outside<BR>> isakmp enable outside<BR>> isakmp key ******** address 196.200.82.35 netmask <BR>> 255.255.255.255<BR>> isakmp key ******** address 194.78.211.130 netmask <BR>> 255.255.255.255<BR>> isakmp identity address<BR>> isakmp policy 9 authentication pre-share<BR>> isakmp policy 9 encryption 3des<BR>> isakmp policy 9 hash sha<BR>> isakmp policy 9 group 1<BR>> isakmp policy 9 lifetime 86400<BR>> isakmp policy 19 authentication pre-share<BR>> isakmp policy 19 encryption 3des<BR>> isakmp policy 19 hash sha<BR>> isakmp policy 19 group 2<BR>> isakmp policy 19 lifetime 86400<BR>> telnet timeout 5<BR>> ssh 194.7.174.162 255.255.255.255 outside<BR>> ssh 194.7.174.163 255.255.255.255 outside<BR>> ssh 10.102.156.0 255.255.252.0 inside<BR>> ssh 10.102.155.0
255.255.255.0 inside<BR>> ssh timeout 5<BR>> console timeout 0<BR>> terminal width 80<BR>> Cryptochecksum:7458b1b938134f7d52ed82d4e2003210<BR>> <BR>> Regrds,<BR>> <BR>> Kindy<BR>> <BR>> <BR>> <BR>> ---------------------------------<BR>> Faites de Yahoo! votre page d'accueil sur le web pour <BR>> retrouver directement vos services préférés : vérifiez vos <BR>> nouveaux mails, lancez vos recherches et suivez l'actualité <BR>> en temps réel. Cliquez ici.<BR>> <BR>> <BR>> <BR>> <BR>> <BR>> ---------------------------------<BR>> Faites de Yahoo! votre page d'accueil sur le web pour <BR>> retrouver directement vos services préférés : vérifiez vos <BR>> nouveaux mails, lancez vos recherches et suivez l'actualité <BR>> en temps réel. Cliquez ici.<BR>> <BR>> <BR>> <BR>> <BR>> ________________________________<BR>> <BR>> Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo!
<BR>> Mail <BR>> <HTTP: evt="40577/*http://fr.promotions.yahoo.<br" fr.rd.yahoo.com>> com/mail/nouveaumail.html> et son interface révolutionnaire. <BR>> <BR>_______________________________________________<BR>VPN mailing list<BR>VPN@lists.shmoo.com<BR>http://lists.shmoo.com/mailman/listinfo/vpn<BR></BLOCKQUOTE><BR><p>
<hr size="1">
<b>Yahoo! Mail réinvente le mail !</b> Découvrez le <a href="http://fr.rd.yahoo.com/evt=40577/*http://fr.promotions.yahoo.com/mail/nouveaumail.html
">nouveau Yahoo! Mail</a> et son interface révolutionnaire.