PIX 501 and 506 lossing VPN connection to remote site after timeout

Discussion in 'Cisco' started by Jay, Sep 5, 2006.

  1. Jay

    Jay Guest

    I have a PIX 501 at a remote site with two VPN connections back to the
    home office. After inactivity on the VPN both connections will
    timeout. The problem is I cannot wake the connection from the home
    office side. If I have them initiate a ping back to the home office I
    can than talk to the remote network. Is there a way to stop the time
    out or setup the VPN to wake when a connection to that network is
    attempted? Any help would be appreciated.

    Thanks
    Jay, Sep 5, 2006
    #1
    1. Advertising

  2. In article <>,
    Jay <> wrote:
    >I have a PIX 501 at a remote site with two VPN connections back to the
    >home office. After inactivity on the VPN both connections will
    >timeout. The problem is I cannot wake the connection from the home
    >office side.


    Do the 501's have dynamic IP addresses? Or, is the
    home office configured to expect them in via a crypto dynamic map?
    You cannot wake the tunnel from the home office unless they have a static
    IP as far as the home office is concerned.

    > If I have them initiate a ping back to the home office I
    >can than talk to the remote network. Is there a way to stop the time
    >out or setup the VPN to wake when a connection to that network is
    >attempted? Any help would be appreciated.


    You can increase the lifetimes:

    isakmp policy POLICYNUMBER lifetime TIMEINSECONDS
    crypto ipsec security-association lifetime seconds TIMEINSECONDS

    However, if the connection were to drop for some reason, then this
    won't help recover the connection. In particular, if the connection
    drops because the hosts have dynamic IPs and the ISP changed the IP out
    from underneath them, then there isn't much you can do about it on the
    PIX. At times like that, it's useful to subscribe to dyndns.com .
    Walter Roberson, Sep 5, 2006
    #2
    1. Advertising

  3. Jay

    Jay Guest

    The client locations have static IP's.

    Here is what the home office config looks like.

    ....
    ....
    access-list NoNat permit ip 192.168.50.0 255.255.255.0 10.0.39.0
    255.255.255.0
    access-list NoNat permit ip 192.168.50.0 255.255.255.0 10.0.40.0
    255.255.255.0
    ....
    ....
    access-list Connect_HOSTNAME permit ip 192.168.50.0 255.255.255.0
    10.0.39.0 255.255.255.0
    access-list Connect_HOSTNAME permit ip 192.168.50.0 255.255.255.0
    10.0.40.0 255.255.255.0
    ....
    ....
    crypto map Main_Combined 39 ipsec-isakmp
    crypto map Main_Combined 39 match address Connect_HOSTNAME
    crypto map Main_Combined 39 set peer OUTSIDE STATIC IP
    crypto map Main_Combined 39 set transform-set ESP-AES-MD5
    crypto map Main_Combined 40 ipsec-isakmp
    crypto map Main_Combined 40 match address Connect_HOSTNAME
    crypto map Main_Combined 40 set peer OUTSIDE STATIC IP
    crypto map Main_Combined 40 set transform-set ESP-AES-MD5
    ....
    ....
    isakmp key ******** address OUTSIDE STATIC IP netmask 255.255.255.255
    no-xauth no-config-mode
    isakmp key ******** address OUTSIDE STATIC IP netmask 255.255.255.255
    no-xauth no-config-mode
    ....
    ....


    Am I missing anything? I have configured a few other VPNs in the past
    month and seem to have the same problem with them untill I redo the
    crypto map on the home office PIX. Is there an order that I need to be
    doing this in? Should I not configure the home office PIX untill the
    remote PIX is installed?

    Thanks for your help.
    Jay, Sep 5, 2006
    #3
  4. In article <>,
    Jay <> wrote:

    >The client locations have static IP's.


    >Here is what the home office config looks like.


    >access-list NoNat permit ip 192.168.50.0 255.255.255.0 10.0.39.0 255.255.255.0
    >access-list NoNat permit ip 192.168.50.0 255.255.255.0 10.0.40.0 255.255.255.0


    That part is okay.

    >access-list Connect_HOSTNAME permit ip 192.168.50.0 255.255.255.0 10.0.39.0 255.255.255.0
    >access-list Connect_HOSTNAME permit ip 192.168.50.0 255.255.255.0 10.0.40.0 255.255.255.0


    Possibly you have just over-obscured, but you need that as two different
    ACLS:

    access-list Connect_HOST39 permit ip 192.168.50.0 255.255.255.0 10.0.39.0 255.255.255.0
    access-list Connect_HOST40 permit ip 192.168.50.0 255.255.255.0 10.0.40.0 255.255.255.0

    >crypto map Main_Combined 39 ipsec-isakmp
    >crypto map Main_Combined 39 match address Connect_HOSTNAME


    crypto map Main_Combined 39 match address Connect_HOST39

    >crypto map Main_Combined 39 set peer OUTSIDE STATIC IP


    crypto map Main_Combined 39 set peer HOST39STATICIP

    >crypto map Main_Combined 39 set transform-set ESP-AES-MD5
    >crypto map Main_Combined 40 ipsec-isakmp
    >crypto map Main_Combined 40 match address Connect_HOSTNAME


    crypto map Main_Combined 40 match address Connect_HOST40

    >crypto map Main_Combined 40 set peer OUTSIDE STATIC IP


    crypto map Main_Combined 40 set peer HOST40STATICIP

    >crypto map Main_Combined 40 set transform-set ESP-AES-MD5



    >Am I missing anything? I have configured a few other VPNs in the past
    >month and seem to have the same problem with them untill I redo the
    >crypto map on the home office PIX. Is there an order that I need to be
    >doing this in? Should I not configure the home office PIX untill the
    >remote PIX is installed?


    The default isakmp lifetime is relatively short, and effectively
    the shorter lifetime (of the home office or the remote system) is the
    one used.
    Walter Roberson, Sep 5, 2006
    #4
  5. Jay

    Jay Guest

    Sorry I did over obscure that information they are unique. I went back
    into the PDM and removed the old VPN settings and set them back up and
    it works fine now. I would love to just leave it like that and call it
    a day however the powers that be want to keep a naming convention. Is
    there a way to change the outside_cryptomap_40 id in:

    access-list outside_cryptomap_40 permit ip 192.168.50.0 255.255.255.0
    10.0.39.0 255.255.255.0

    And in the associated crypto map?

    I am not sure why when I do it threw the console or and ssh session I
    am having this problem. Have you or anyone else run into this? Like I
    said as soon as I redo the VPN I can reestablish the connection from
    the home office.
    Jay, Sep 5, 2006
    #5
  6. In article <>,
    Jay <> wrote:
    >Sorry I did over obscure that information they are unique. I went back
    >into the PDM and removed the old VPN settings and set them back up and
    >it works fine now.


    >I am not sure why when I do it threw the console or and ssh session I
    >am having this problem.


    clear xlate
    clear crypto sa

    If you change the crypto match access lists then you need to
    clear the SA (security associations) or else it doesn't pick up
    the change.
    Walter Roberson, Sep 5, 2006
    #6
  7. In article <>,
    Jay <> wrote:
    >Is
    >there a way to change the outside_cryptomap_40 id in:


    >access-list outside_cryptomap_40 permit ip 192.168.50.0 255.255.255.0
    >10.0.39.0 255.255.255.0


    >And in the associated crypto map?


    There's a way to do it going through several changes of crypto maps
    (build new with new name B, activate new one B, remove old one A, build
    new one with old name A, activate old one A, remove new one B) but
    it's a pain. It's a lot easier if you can spare a few second downtime
    while you clear the old ACLs and crypto map and tftp in the versions that
    you really want.
    Walter Roberson, Sep 5, 2006
    #7
  8. Jay

    Jay Guest

    And I assume that when I make the changes in the PDM it runs those
    commands?!?!

    If that is the case that explains it.

    Thank you very much!!! You have helped me out before on another issue
    I was having. I appreciate your patience. I am a newb with Cisco and
    it is nice to know there are people out there that are willing to lend
    a hand. Thank you again.
    Jay, Sep 5, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Javier Villegas
    Replies:
    1
    Views:
    486
    Walter Roberson
    Jan 27, 2004
  2. Robert
    Replies:
    3
    Views:
    2,047
    Robert
    Dec 14, 2005
  3. Silvan Jappert

    Pix 506 & 501 site-to-site VPN question.

    Silvan Jappert, May 1, 2006, in forum: Cisco
    Replies:
    4
    Views:
    3,687
    Silvan Jappert
    May 4, 2006
  4. Replies:
    3
    Views:
    2,155
  5. Replies:
    1
    Views:
    626
    Walter Roberson
    Nov 14, 2006
Loading...

Share This Page