PIX 515 drops ongoing VPN sessions

Discussion in 'Cisco' started by Nicklas, Nov 24, 2003.

  1. Nicklas

    Nicklas Guest

    Hi,

    I have a rather mysterious issue with our corporate Cisco Pix 515
    Firewalls (one running primary, the other failover).

    IOS= 6.2.3

    None of the Firewalls qualify for the known bugs at Cisco.

    Now, the firewall is mainly used for VPN sessions that are
    site-to-site over Internet. On the other side of the VPN session,
    you'll find a Cisco Pix 501. The VPN sessions are basic, and use DES
    encryption. The setup is straightforward and works
    great...except......

    From "time-to-time" the firewall drops a number of ongoing VPN
    sessions. At the most I'd say that the firewall handles about 95 VPN
    sessions. I've managed to export data from PDM, which cleary proves
    that it does indeed drop about 30% of the VPN sessions at any given
    time, see the data extract below:



    Date, Time, Number of VPN sessions:
    2003-11-24 11:50:07,90
    2003-11-24 12:02:07,89
    2003-11-24 12:14:07,90
    2003-11-24 12:26:07,88
    2003-11-24 12:38:07,87
    2003-11-24 12:50:07,90
    2003-11-24 13:02:07,66 <----here
    2003-11-24 13:14:07,77
    2003-11-24 13:26:07,81
    2003-11-24 13:38:07,82
    2003-11-24 13:50:07,86
    2003-11-24 14:02:07,89
    2003-11-24 14:14:07,91
    2003-11-24 14:26:07,92
    2003-11-24 14:38:07,92
    2003-11-24 14:50:07,91
    2003-11-24 15:02:07,90
    2003-11-24 15:14:07,64 <---- here
    2003-11-24 15:26:07,77
    2003-11-24 15:38:07,81
    2003-11-24 15:50:07,83
    2003-11-24 16:02:07,82
    2003-11-24 16:14:07,83


    After each "drop" the end user experiences a time-out of about 5-10
    minutes, and during this period his Internet Connection, mainly DSL
    works fine. After the given timeout the end user re-connects, and the
    session is up and running.

    I haven't pin pointed the actual reason for the sudden drop of VPN
    sessions, but my guess is that the reason resides on our Firewall. The
    whole failover setup works, and both the firewalls have the exact same
    config.

    Has anyone even heard of anything like my problem? If so I'm very
    curious to find out if there's any tweak to solve the isse....

    I've averaged the overall bandwidth of the corporate firewall, and it
    peaks about 2 mbps (we have 10)

    The CPU/Memory runs at about 20-30% with occasional peaks.


    Any input is very much appreciated.

    Regards,

    Nicklas
     
    Nicklas, Nov 24, 2003
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.