PPTP Clients loose connection to cisco PIX 506E after a while..

Discussion in 'Cisco' started by trond@hindenes.com, Apr 26, 2007.

  1. Guest

    Hi all,
    A customer of mine have just gotten a new Cisco Pix 506E, and we are
    experiencing some trouble with it. Hope some of you can point me in
    the right direction to fix this...

    1. Using PDM on the inside, I loose connection to the PDM java app
    after a while. Have to close the browser all together and log back on
    to access it. Have anyone experienced this? (Tried different browsers,
    same result)

    2. VPN Users use PPTP to access the firewall. Most of the clients are
    on Windows Vista, but XP users reportedly also have problems. What
    I've heard is that they loose connection after a while, altthough the
    connection icon still tells the user that he/she is connected.
    Workaround is to manually disconnect and connect again.

    Should I try to play with the MTU size on the inside interface to see
    if this can have any effect?

    I have never had these problems on a PIX before, so I'm not sure where
    to start looking for errors. I have installed a syslog server that
    hopefully will give me some info, but any pointers would be deeply
    appreciated. My config is as follows:

    mtu inside 1500
    ip address outside xxx.xxx.44.62 255.255.252.0
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool VPNPool 192.168.1.101-192.168.1.150 mask 255.255.255.0
    pdm location 192.168.1.2 255.255.255.255 inside
    pdm location 213.179.57.7 255.255.255.255 outside
    pdm location 192.168.1.0 255.255.255.0 outside
    pdm location 192.168.1.24 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 101
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface www 192.168.1.24 www netmask
    255.255.255.255 0 0
    access-group inbound in interface outside
    route outside 0.0.0.0 0.0.0.0 xxx.xxx.44.61 10
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 5
    aaa-server RADIUS deadtime 1
    aaa-server RADIUS (inside) host 192.168.1.2 cisco timeout 5
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-pptp
    isakmp nat-traversal 20
    telnet 84.209.249.249 255.255.255.255 outside
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn group PPTP_VPN accept dialin pptp
    vpdn group PPTP_VPN ppp authentication chap
    vpdn group PPTP_VPN client configuration address local VPNPool
    vpdn group PPTP_VPN client configuration dns 192.168.1.2
    vpdn group PPTP_VPN pptp echo 60
    vpdn group PPTP_VPN client authentication local
    vpdn username cisco password *********
    vpdn username vpn password *********
    vpdn username trond password *********
    vpdn enable outside
    dhcpd address 192.168.1.20-192.168.1.100 inside
    dhcpd dns 192.168.1.2 84.20.96.10
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    Cryptochecksum:
    : end
    [OK]


    Best regards,
    Trond Hindenes
    Norway
     
    , Apr 26, 2007
    #1
    1. Advertising

  2. Mike Rahl Guest

    On Apr 26, 6:59 am, wrote:
    > Hi all,
    > A customer of mine have just gotten a new Cisco Pix 506E, and we are
    > experiencing some trouble with it. Hope some of you can point me in
    > the right direction to fix this...
    >
    > 1. Using PDM on the inside, I loose connection to the PDM java app
    > after a while. Have to close the browser all together and log back on
    > to access it. Have anyone experienced this? (Tried different browsers,
    > same result)
    >
    > 2. VPN Users use PPTP to access the firewall. Most of the clients are
    > on Windows Vista, but XP users reportedly also have problems. What
    > I've heard is that they loose connection after a while, altthough the
    > connection icon still tells the user that he/she is connected.
    > Workaround is to manually disconnect and connect again.
    >
    > Should I try to play with the MTU size on the inside interface to see
    > if this can have any effect?
    >
    > I have never had these problems on a PIX before, so I'm not sure where
    > to start looking for errors. I have installed a syslog server that
    > hopefully will give me some info, but any pointers would be deeply
    > appreciated. My config is as follows:
    >
    > mtu inside 1500
    > ip address outside xxx.xxx.44.62 255.255.252.0
    > ip address inside 192.168.1.1 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool VPNPool 192.168.1.101-192.168.1.150 mask 255.255.255.0
    > pdm location 192.168.1.2 255.255.255.255 inside
    > pdm location 213.179.57.7 255.255.255.255 outside
    > pdm location 192.168.1.0 255.255.255.0 outside
    > pdm location 192.168.1.24 255.255.255.255 inside
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 0 access-list 101
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) tcp interface www 192.168.1.24 www netmask
    > 255.255.255.255 0 0
    > access-group inbound in interface outside
    > route outside 0.0.0.0 0.0.0.0 xxx.xxx.44.61 10
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server TACACS+ max-failed-attempts 3
    > aaa-server TACACS+ deadtime 10
    > aaa-server RADIUS protocol radius
    > aaa-server RADIUS max-failed-attempts 5
    > aaa-server RADIUS deadtime 1
    > aaa-server RADIUS (inside) host 192.168.1.2 cisco timeout 5
    > aaa-server LOCAL protocol local
    > http server enable
    > http 192.168.1.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-pptp
    > isakmp nat-traversal 20
    > telnet 84.209.249.249 255.255.255.255 outside
    > telnet 192.168.1.0 255.255.255.0 inside
    > telnet timeout 5
    > ssh timeout 5
    > console timeout 0
    > vpdn group PPTP_VPN accept dialin pptp
    > vpdn group PPTP_VPN ppp authentication chap
    > vpdn group PPTP_VPN client configuration address local VPNPool
    > vpdn group PPTP_VPN client configuration dns 192.168.1.2
    > vpdn group PPTP_VPN pptp echo 60
    > vpdn group PPTP_VPN client authentication local
    > vpdn username cisco password *********
    > vpdn username vpn password *********
    > vpdn username trond password *********
    > vpdn enable outside
    > dhcpd address 192.168.1.20-192.168.1.100 inside
    > dhcpd dns 192.168.1.2 84.20.96.10
    > dhcpd lease 3600
    > dhcpd ping_timeout 750
    > dhcpd auto_config outside
    > dhcpd enable inside
    > terminal width 80
    > Cryptochecksum:
    > : end
    > [OK]
    >
    > Best regards,
    > Trond Hindenes
    > Norway





    Good day

    I'm not as much an expert on the PIX firewall, but is it possible that
    the connections are timing out due to inactivity? Are the users
    actively working using that VPN link when it stops responding? You
    could look at what the default timeout is on the connection (though I
    should think the software would disconnect at that point; maybe a bug
    in the software or on the PIX OS with PPTP?)

    Also, as to the idea about MTU, what kind of connection is the PIX
    connected to? If it's ADSL, or any ATM link for that matter, you may
    have to play with it (normally, I set the MTU on the WAN at 1452 bytes
    when dealing with ATM). Otherwise, you shouldn't have to play with
    the MTU. Ethernet has to run 1500 bytes, so your config looks ok that
    way.

    Hope this helps a little
     
    Mike Rahl, Apr 26, 2007
    #2
    1. Advertising

  3. ciscosec Guest

    which version of pix are you running and what is the timeout
    parameters yuo have set?

    there is a known issue for ipsec vpn timing out every 10 minutes or so
    irrespective of whether it is idle or not. This is what i remember.
    You can check cisco's known issue document to confirm this.

    On Apr 26, 3:59 pm, wrote:
    > Hi all,
    > A customer of mine have just gotten a new Cisco Pix 506E, and we are
    > experiencing some trouble with it. Hope some of you can point me in
    > the right direction to fix this...
    >
    > 1. Using PDM on the inside, I loose connection to the PDM java app
    > after a while. Have to close the browser all together and log back on
    > to access it. Have anyone experienced this? (Tried different browsers,
    > same result)
    >
    > 2. VPN Users use PPTP to access the firewall. Most of the clients are
    > on Windows Vista, but XP users reportedly also have problems. What
    > I've heard is that they loose connection after a while, altthough the
    > connection icon still tells the user that he/she is connected.
    > Workaround is to manually disconnect and connect again.
    >
    > Should I try to play with the MTU size on the inside interface to see
    > if this can have any effect?
    >
    > I have never had these problems on a PIX before, so I'm not sure where
    > to start looking for errors. I have installed a syslog server that
    > hopefully will give me some info, but any pointers would be deeply
    > appreciated. My config is as follows:
    >
    > mtu inside 1500
    > ip address outside xxx.xxx.44.62 255.255.252.0
    > ip address inside 192.168.1.1 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool VPNPool 192.168.1.101-192.168.1.150 mask 255.255.255.0
    > pdm location 192.168.1.2 255.255.255.255 inside
    > pdm location 213.179.57.7 255.255.255.255 outside
    > pdm location 192.168.1.0 255.255.255.0 outside
    > pdm location 192.168.1.24 255.255.255.255 inside
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 0 access-list 101
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) tcp interface www 192.168.1.24 www netmask
    > 255.255.255.255 0 0
    > access-group inbound in interface outside
    > route outside 0.0.0.0 0.0.0.0 xxx.xxx.44.61 10
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server TACACS+ max-failed-attempts 3
    > aaa-server TACACS+ deadtime 10
    > aaa-server RADIUS protocol radius
    > aaa-server RADIUS max-failed-attempts 5
    > aaa-server RADIUS deadtime 1
    > aaa-server RADIUS (inside) host 192.168.1.2 cisco timeout 5
    > aaa-server LOCAL protocol local
    > http server enable
    > http 192.168.1.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-pptp
    > isakmp nat-traversal 20
    > telnet 84.209.249.249 255.255.255.255 outside
    > telnet 192.168.1.0 255.255.255.0 inside
    > telnet timeout 5
    > ssh timeout 5
    > console timeout 0
    > vpdn group PPTP_VPN accept dialin pptp
    > vpdn group PPTP_VPN ppp authentication chap
    > vpdn group PPTP_VPN client configuration address local VPNPool
    > vpdn group PPTP_VPN client configuration dns 192.168.1.2
    > vpdn group PPTP_VPN pptp echo 60
    > vpdn group PPTP_VPN client authentication local
    > vpdn username cisco password *********
    > vpdn username vpn password *********
    > vpdn username trond password *********
    > vpdn enable outside
    > dhcpd address 192.168.1.20-192.168.1.100 inside
    > dhcpd dns 192.168.1.2 84.20.96.10
    > dhcpd lease 3600
    > dhcpd ping_timeout 750
    > dhcpd auto_config outside
    > dhcpd enable inside
    > terminal width 80
    > Cryptochecksum:
    > : end
    > [OK]
    >
    > Best regards,
    > Trond Hindenes
    > Norway
     
    ciscosec, Apr 27, 2007
    #3
  4. Guest

    Hi,
    Its running PIX 6.3(5), which (as far as I know) is the latest
    supported os on the 506E. Alle the parameters are shown in the config
    I sent. On the clients, timeout is not set.

    Thanks,

    Trond Hindenes

    On 27 Apr, 05:11, ciscosec <> wrote:
    > which version ofpixare you running and what is the timeout
    > parameters yuo have set?
    >
    > there is a known issue for ipsec vpn timing out every 10 minutes or so
    > irrespective of whether it is idle or not. This is what i remember.
    > You can check cisco's known issue document to confirm this.
    >
    > On Apr 26, 3:59 pm, wrote:
    >
    >
    >
    > > Hi all,
    > > A customer of mine have just gotten a new CiscoPix506E, and we are
    > > experiencing some trouble with it. Hope some of you can point me in
    > > the right direction to fix this...

    >
    > > 1. Using PDM on the inside, Ilooseconnection to the PDM java app
    > > after a while. Have to close the browser all together and log back on
    > > to access it. Have anyone experienced this? (Tried different browsers,
    > > same result)

    >
    > > 2. VPN Users usePPTPto access the firewall. Most of the clients are
    > > on Windows Vista, but XP users reportedly also have problems. What
    > > I've heard is that theylooseconnection after a while, altthough the
    > > connection icon still tells the user that he/she is connected.
    > > Workaround is to manually disconnect and connect again.

    >
    > > Should I try to play with the MTU size on the inside interface to see
    > > if this can have any effect?

    >
    > > I have never had these problems on aPIXbefore, so I'm not sure where
    > > to start looking for errors. I have installed a syslog server that
    > > hopefully will give me some info, but any pointers would be deeply
    > > appreciated. My config is as follows:

    >
    > > mtu inside 1500
    > > ip address outside xxx.xxx.44.62 255.255.252.0
    > > ip address inside 192.168.1.1 255.255.255.0
    > > ip audit info action alarm
    > > ip audit attack action alarm
    > > ip local pool VPNPool 192.168.1.101-192.168.1.150 mask 255.255.255.0
    > > pdm location 192.168.1.2 255.255.255.255 inside
    > > pdm location 213.179.57.7 255.255.255.255 outside
    > > pdm location 192.168.1.0 255.255.255.0 outside
    > > pdm location 192.168.1.24 255.255.255.255 inside
    > > pdm logging informational 100
    > > pdm history enable
    > > arp timeout 14400
    > > global (outside) 1 interface
    > > nat (inside) 0 access-list 101
    > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > > static (inside,outside) tcp interface www 192.168.1.24 www netmask
    > > 255.255.255.255 0 0
    > > access-group inbound in interface outside
    > > route outside 0.0.0.0 0.0.0.0 xxx.xxx.44.61 10
    > > timeout xlate 0:05:00
    > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > > 1:00:00
    > > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > > timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    > > timeout uauth 0:05:00 absolute
    > > aaa-server TACACS+ protocol tacacs+
    > > aaa-server TACACS+ max-failed-attempts 3
    > > aaa-server TACACS+ deadtime 10
    > > aaa-server RADIUS protocol radius
    > > aaa-server RADIUS max-failed-attempts 5
    > > aaa-server RADIUS deadtime 1
    > > aaa-server RADIUS (inside) host 192.168.1.2 cisco timeout 5
    > > aaa-server LOCAL protocol local
    > > http server enable
    > > http 192.168.1.0 255.255.255.0 inside
    > > no snmp-server location
    > > no snmp-server contact
    > > snmp-server community public
    > > no snmp-server enable traps
    > > floodguard enable
    > > sysopt connection permit-pptp
    > > isakmp nat-traversal 20
    > > telnet 84.209.249.249 255.255.255.255 outside
    > > telnet 192.168.1.0 255.255.255.0 inside
    > > telnet timeout 5
    > > ssh timeout 5
    > > console timeout 0
    > > vpdn group PPTP_VPN accept dialinpptp
    > > vpdn group PPTP_VPN ppp authentication chap
    > > vpdn group PPTP_VPN client configuration address local VPNPool
    > > vpdn group PPTP_VPN client configuration dns 192.168.1.2
    > > vpdn group PPTP_VPNpptpecho 60
    > > vpdn group PPTP_VPN client authentication local
    > > vpdn username cisco password *********
    > > vpdn username vpn password *********
    > > vpdn username trond password *********
    > > vpdn enable outside
    > > dhcpd address 192.168.1.20-192.168.1.100 inside
    > > dhcpd dns 192.168.1.2 84.20.96.10
    > > dhcpd lease 3600
    > > dhcpd ping_timeout 750
    > > dhcpd auto_config outside
    > > dhcpd enable inside
    > > terminal width 80
    > > Cryptochecksum:
    > > : end
    > > [OK]

    >
    > > Best regards,
    > > Trond Hindenes
    > > Norway- Skjul sitert tekst -

    >
    > - Vis sitert tekst -
     
    , Apr 27, 2007
    #4
  5. Houston SBC Guest

    Not a PIX guru, but I had no luck at all with PPTP on a Cisco 2650 w IOS
    12.3.
    It seems that PPTP uses a conversation id that distintingusihes between
    communicating devices--above setup would not work unless each user was given
    the same ip at connect time (no Nat overload-had to be static). With DHCP
    style allocation--it was a mess.

    I had to use a Netgear FVS318 on the Internet with TCP 1723 open and
    translated to a Win 2000 server running RRAS.
    DHCP allocation now worked with PPTP.

    Digital Doug
    <> wrote in message
    news:...
    > Hi all,
    > A customer of mine have just gotten a new Cisco Pix 506E, and we are
    > experiencing some trouble with it. Hope some of you can point me in
    > the right direction to fix this...
    >
    > 1. Using PDM on the inside, I loose connection to the PDM java app
    > after a while. Have to close the browser all together and log back on
    > to access it. Have anyone experienced this? (Tried different browsers,
    > same result)
    >
    > 2. VPN Users use PPTP to access the firewall. Most of the clients are
    > on Windows Vista, but XP users reportedly also have problems. What
    > I've heard is that they loose connection after a while, altthough the
    > connection icon still tells the user that he/she is connected.
    > Workaround is to manually disconnect and connect again.
    >
    > Should I try to play with the MTU size on the inside interface to see
    > if this can have any effect?
    >
    > I have never had these problems on a PIX before, so I'm not sure where
    > to start looking for errors. I have installed a syslog server that
    > hopefully will give me some info, but any pointers would be deeply
    > appreciated. My config is as follows:
    >
    > mtu inside 1500
    > ip address outside xxx.xxx.44.62 255.255.252.0
    > ip address inside 192.168.1.1 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool VPNPool 192.168.1.101-192.168.1.150 mask 255.255.255.0
    > pdm location 192.168.1.2 255.255.255.255 inside
    > pdm location 213.179.57.7 255.255.255.255 outside
    > pdm location 192.168.1.0 255.255.255.0 outside
    > pdm location 192.168.1.24 255.255.255.255 inside
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 0 access-list 101
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) tcp interface www 192.168.1.24 www netmask
    > 255.255.255.255 0 0
    > access-group inbound in interface outside
    > route outside 0.0.0.0 0.0.0.0 xxx.xxx.44.61 10
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server TACACS+ max-failed-attempts 3
    > aaa-server TACACS+ deadtime 10
    > aaa-server RADIUS protocol radius
    > aaa-server RADIUS max-failed-attempts 5
    > aaa-server RADIUS deadtime 1
    > aaa-server RADIUS (inside) host 192.168.1.2 cisco timeout 5
    > aaa-server LOCAL protocol local
    > http server enable
    > http 192.168.1.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-pptp
    > isakmp nat-traversal 20
    > telnet 84.209.249.249 255.255.255.255 outside
    > telnet 192.168.1.0 255.255.255.0 inside
    > telnet timeout 5
    > ssh timeout 5
    > console timeout 0
    > vpdn group PPTP_VPN accept dialin pptp
    > vpdn group PPTP_VPN ppp authentication chap
    > vpdn group PPTP_VPN client configuration address local VPNPool
    > vpdn group PPTP_VPN client configuration dns 192.168.1.2
    > vpdn group PPTP_VPN pptp echo 60
    > vpdn group PPTP_VPN client authentication local
    > vpdn username cisco password *********
    > vpdn username vpn password *********
    > vpdn username trond password *********
    > vpdn enable outside
    > dhcpd address 192.168.1.20-192.168.1.100 inside
    > dhcpd dns 192.168.1.2 84.20.96.10
    > dhcpd lease 3600
    > dhcpd ping_timeout 750
    > dhcpd auto_config outside
    > dhcpd enable inside
    > terminal width 80
    > Cryptochecksum:
    > : end
    > [OK]
    >
    >
    > Best regards,
    > Trond Hindenes
    > Norway
    >
     
    Houston SBC, Apr 27, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Loose encrypted connection after re-boot

    , Dec 26, 2004, in forum: Wireless Networking
    Replies:
    0
    Views:
    470
  2. John Smith
    Replies:
    2
    Views:
    530
  3. NETADMIN
    Replies:
    0
    Views:
    498
    NETADMIN
    Feb 2, 2006
  4. Replies:
    0
    Views:
    503
  5. Replies:
    2
    Views:
    409
Loading...

Share This Page