Cisco ASA, VPN and Veritas Netbackup

Discussion in 'Cisco' started by Bernd Nies, Mar 29, 2007.

  1. Bernd Nies

    Bernd Nies Guest

    Hi folks,

    Recently we migrated our VPN connection of two office locations from
    "Sonicwall TZ170 <--> Cisco VPN3000" to a new "Cisco ASA5510 <-->
    Cisco ASA5520" site to site tunnel. The IKE/IPsec tunnels have been up
    for two weeks and the networks on both ends can reach each other.

    On one location we have a Veritas Netbackup media server which is also
    a backup client and on the other there is the master server. Since
    that VPN migration we experience problems with backups that take long
    (about one hour or longer). It appears that the firewall somehow kills
    the TCP sessions. The backup client complains about broken networks,
    socket errors and timeouts waiting for database connections. I
    increased the default idle timeout on the ASA from 1 hour to 72 hour
    but with no success. Idle telnet sessions keep now open but the
    Netbackup stuff still has these network problems.

    Any ideas what is causing the trouble? Here's the VPN config on both
    ASA's:


    ==CUT==
    timeout xlate 3:00:00
    timeout conn 72:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
    disconnect 0:02:00
    timeout uauth 0:05:00 absolute

    group-policy adnvpn internal
    group-policy adnvpn attributes
    vpn-simultaneous-logins 6
    vpn-idle-timeout none
    vpn-session-timeout none
    vpn-tunnel-protocol IPSec l2tp-ipsec
    ip-comp disable
    re-xauth disable
    group-lock none
    pfs disable

    crypto map outside_map 80 match address outside_80_cryptomap
    crypto map outside_map 80 set pfs
    crypto map outside_map 80 set connection-type answer-only
    crypto map outside_map 80 set peer 123.123.123.123
    crypto map outside_map 80 set transform-set ESP-3DES-SHA
    crypto map outside_map 80 set security-association lifetime seconds
    86400
    crypto map outside_map 80 set security-association lifetime kilobytes
    2147483647

    tunnel-group 123.123.123.123 type ipsec-l2l
    tunnel-group 123.123.123.123 general-attributes
    default-group-policy adnvpn
    ==CUT==


    Thanks in advance.

    Regards,
    Bernd
     
    Bernd Nies, Mar 29, 2007
    #1
    1. Advertising

  2. Bernd Nies

    Netghost

    Joined:
    Mar 21, 2007
    Messages:
    3
    I have a similar setup, but i use the remote agents instead. These agents (also available for Uniux) are using the port 10000. If you cant find a solution, maybe you can open the port 10000 between your 2 devices and use the remote agents instead.
     
    Netghost, Mar 29, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. MCSE World

    OT: Veritas DP-003W Exam Review

    MCSE World, Oct 11, 2003, in forum: MCSE
    Replies:
    0
    Views:
    422
    MCSE World
    Oct 11, 2003
  2. Emil

    what happened to veritas?

    Emil, Nov 18, 2003, in forum: MCSE
    Replies:
    0
    Views:
    640
  3. Emil

    Veritas

    Emil, Nov 18, 2003, in forum: MCSE
    Replies:
    0
    Views:
    566
  4. Einar Bordewich
    Replies:
    1
    Views:
    1,758
    Charlie Russel - MVP
    Mar 22, 2006
  5. Replies:
    1
    Views:
    3,365
Loading...

Share This Page