Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco ASA, VPN and Veritas Netbackup

Thread Tools

Cisco ASA, VPN and Veritas Netbackup

Bernd Nies
Posts: n/a
Hi folks,

Recently we migrated our VPN connection of two office locations from
"Sonicwall TZ170 <--> Cisco VPN3000" to a new "Cisco ASA5510 <-->
Cisco ASA5520" site to site tunnel. The IKE/IPsec tunnels have been up
for two weeks and the networks on both ends can reach each other.

On one location we have a Veritas Netbackup media server which is also
a backup client and on the other there is the master server. Since
that VPN migration we experience problems with backups that take long
(about one hour or longer). It appears that the firewall somehow kills
the TCP sessions. The backup client complains about broken networks,
socket errors and timeouts waiting for database connections. I
increased the default idle timeout on the ASA from 1 hour to 72 hour
but with no success. Idle telnet sessions keep now open but the
Netbackup stuff still has these network problems.

Any ideas what is causing the trouble? Here's the VPN config on both

timeout xlate 3:00:00
timeout conn 72:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
disconnect 0:02:00
timeout uauth 0:05:00 absolute

group-policy adnvpn internal
group-policy adnvpn attributes
vpn-simultaneous-logins 6
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec
ip-comp disable
re-xauth disable
group-lock none
pfs disable

crypto map outside_map 80 match address outside_80_cryptomap
crypto map outside_map 80 set pfs
crypto map outside_map 80 set connection-type answer-only
crypto map outside_map 80 set peer
crypto map outside_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 80 set security-association lifetime seconds
crypto map outside_map 80 set security-association lifetime kilobytes

tunnel-group type ipsec-l2l
tunnel-group general-attributes
default-group-policy adnvpn

Thanks in advance.


Reply With Quote
Netghost Netghost is offline
Junior Member
Join Date: Mar 2007
Posts: 3
I have a similar setup, but i use the remote agents instead. These agents (also available for Uniux) are using the port 10000. If you cant find a solution, maybe you can open the port 10000 between your 2 devices and use the remote agents instead.
Reply With Quote

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Windows Server 2003 R2 Standard x64 Edition and Veritas BackupEXEC Einar Bordewich Windows 64bit 1 03-22-2006 03:00 PM
backticks and Veritas Netbackup commands Brian W Perl Misc 1 05-29-2005 07:09 PM
Cisco vpn server enabled / VPN and no-VPN connections mix Elise Cisco 6 05-22-2004 07:55 AM
OT: Veritas DP-003W Exam Review MCSE World MCSE 0 10-11-2003 01:04 AM
Unexplained Multiple Lauches of Script with NetBackup ... could it be PERL? Jay W Perl Misc 2 10-03-2003 09:46 PM