PIX 515e & Cisco VPN client. Split-tunnel limit of 50?

Discussion in 'Cisco' started by kelvin.hill@gmail.com, Feb 7, 2006.

  1. Guest

    Hi all,
    I am using a PIX 515e running 6.3(5) and windows/linux vpn clients
    4.7 and 4.8.

    I have a very simplke requirement. I need to have a lot more
    split-tunnels defined than usual as I am dealing with a worldwide
    corporate internal network. Within this network, there are 400+
    discrete "internal" subnets which are being passed to the pix by OSPF.
    I need the clients to be able to get to all these internal networks but
    still have external internet access at the same time.

    I am NOT interested in the security implkications of this but need a
    technical solution to the problem.

    I can define them in the PIX but only the first 50 are pushed to the
    vpn client.

    Does anyone have a solution for this?

    Thanks,
    K.
     
    , Feb 7, 2006
    #1
    1. Advertising

  2. J Guest

    Can you give us an example of the subnets in question? Frankly I'd
    summarize the routes. For example if all your internal routes were
    under 10.1.0.0/16 and 10.50.0.0/16 then I'd summarize the routes and
    hand 2 /16s to the VPN user. If your subnets are more spread out than
    that, then I'd was venture to say that you have a serious IP
    organization problem and you need to clean up your IP addressing
    scheme.

    J
     
    J, Feb 8, 2006
    #2
    1. Advertising

  3. Guest

    I don't disagree. The IP allocation has been built up over many years
    across many countries, each with thier own MIS teams. We have been
    Internet users almost before there was an Internet...

    However, we do have a problem as described in my first post and for now
    I have to work within that, hence the request for the expertise of
    those who populate this newsgroup.

    I have done route summarisation using a program I wrote to parse the
    routing tables. However, even with the most aggressive summarisation I
    can only reduce it to 117 route table entries. This obviously still
    leaves me with a problem when someone on the end of a VPN link informs
    me that they can't get to some little used server in Brazil for
    example.

    I can and have tried to do a "maximum hit rate" selection of routes to
    accomodate the majority of users but I need to try and handle 100% of
    my clients.

    Any geniuses out there?

    K.
     
    , Feb 8, 2006
    #3
  4. wrote:
    > I don't disagree. The IP allocation has been built up over many years
    > across many countries, each with thier own MIS teams. We have been
    > Internet users almost before there was an Internet...
    >
    > However, we do have a problem as described in my first post and for now
    > I have to work within that, hence the request for the expertise of
    > those who populate this newsgroup.
    >
    > I have done route summarisation using a program I wrote to parse the
    > routing tables. However, even with the most aggressive summarisation I
    > can only reduce it to 117 route table entries. This obviously still
    > leaves me with a problem when someone on the end of a VPN link informs
    > me that they can't get to some little used server in Brazil for
    > example.
    >
    > I can and have tried to do a "maximum hit rate" selection of routes to
    > accomodate the majority of users but I need to try and handle 100% of
    > my clients.
    >
    > Any geniuses out there?
    >
    > K.
    >

    Anyone?
    K.
    *** Free account sponsored by SecureIX.com ***
    *** Encrypt your Internet usage with a free VPN account from http://www.SecureIX.com ***
     
    Kelvin J. Hill, Feb 12, 2006
    #4
  5. Merv Guest

    What does the output of "vpnclient stat route " on one of the Linux
    boxes show?
     
    Merv, Feb 13, 2006
    #5
  6. Merv wrote:
    >
    > What does the output of "vpnclient stat route " on one of the Linux
    > boxes show?
    >

    50 route entries. All the excess never show up on the linux or windows
    clients display.
    *** Free account sponsored by SecureIX.com ***
    *** Encrypt your Internet usage with a free VPN account from http://www.SecureIX.com ***
     
    Kelvin J. Hill, Feb 13, 2006
    #6
  7. Merv Guest


    > 50 route entries. All the excess never show up on the linux or windows clients display.


    This seems to be a bug to me as there is no stated restriction
    mentioned in the VPN client docs.

    Have you opened a case with the Cisco TAC?
     
    Merv, Feb 13, 2006
    #7
  8. Merv Guest

    Merv wrote:
    > > 50 route entries. All the excess never show up on the linux or windows clients display.


    BTW how many users is the PIX licensed for ?
     
    Merv, Feb 13, 2006
    #8
  9. Guest

    We have no support contract on this unit, so no we have not raised a
    TAC case.

    Hence the approach to the "world".
     
    , Feb 14, 2006
    #9
  10. Guest

    We have a UR bundle and therefor have no limit on users. On average, we
    have about 80 VPN tunnels open at any one time.
     
    , Feb 14, 2006
    #10
  11. Merv Guest

    Is there consistency to which 50 routes are received by the VPN clients
    ?

    for example, does each VPN clientt get the same 50 routes or is it
    random ?
     
    Merv, Feb 14, 2006
    #11
  12. Guest

    Each client gets the same routes. They are the first 50 of those
    defined in the PIX configuration access-list lines. The 51st and
    subsequent entries defined in the PIX are ignored. Either, they are not
    being sent by the PIX or the client fills up some internal table and
    stops arfter the first 50 received.

    Regards,
    Kelvin.
     
    , Feb 15, 2006
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Martin Nowles
    Replies:
    0
    Views:
    1,063
    Martin Nowles
    Nov 10, 2003
  2. a.nonny mouse
    Replies:
    2
    Views:
    1,154
  3. Jon L. Miller
    Replies:
    1
    Views:
    16,704
    Dumbkid
    Feb 7, 2005
  4. =?iso-8859-2?Q?S=B3awek?=

    Cisco PIX 515E and Linksys WRV 200 VPN Tunnel

    =?iso-8859-2?Q?S=B3awek?=, Nov 28, 2006, in forum: Cisco
    Replies:
    1
    Views:
    505
    =?iso-8859-2?Q?S=B3awek?=
    Dec 11, 2006
  5. Rohan
    Replies:
    1
    Views:
    1,419
    tweety
    Nov 29, 2006
Loading...

Share This Page