PIX 515e & Cisco VPN client. Split-tunnel limit of 50?

Hi all,
I am using a PIX 515e running 6.3(5) and windows/linux vpn clients
4.7 and 4.8.

I have a very simplke requirement. I need to have a lot more
split-tunnels defined than usual as I am dealing with a worldwide
corporate internal network. Within this network, there are 400+
discrete "internal" subnets which are being passed to the pix by OSPF.
I need the clients to be able to get to all these internal networks but
still have external internet access at the same time.

I am NOT interested in the security implkications of this but need a
technical solution to the problem.

I can define them in the PIX but only the first 50 are pushed to the
vpn client.

Does anyone have a solution for this?

Thanks,
K.

 

Can you give us an example of the subnets in question? Frankly I'd
summarize the routes. For example if all your internal routes were
under 10.1.0.0/16 and 10.50.0.0/16 then I'd summarize the routes and
hand 2 /16s to the VPN user. If your subnets are more spread out than
that, then I'd was venture to say that you have a serious IP
organization problem and you need to clean up your IP addressing
scheme.

J

 

I don't disagree. The IP allocation has been built up over many years
across many countries, each with thier own MIS teams. We have been
Internet users almost before there was an Internet...

However, we do have a problem as described in my first post and for now
I have to work within that, hence the request for the expertise of
those who populate this newsgroup.

I have done route summarisation using a program I wrote to parse the
routing tables. However, even with the most aggressive summarisation I
can only reduce it to 117 route table entries. This obviously still
leaves me with a problem when someone on the end of a VPN link informs
me that they can't get to some little used server in Brazil for
example.

I can and have tried to do a "maximum hit rate" selection of routes to
accomodate the majority of users but I need to try and handle 100% of
my clients.

Any geniuses out there?

K.

 

Anyone?
K.
*** Free account sponsored by SecureIX.com ***
*** Encrypt your Internet usage with a free VPN account from http://www.SecureIX.com ***

 

What does the output of "vpnclient stat route " on one of the Linux
boxes show?

 

50 route entries. All the excess never show up on the linux or windows
clients display.
*** Free account sponsored by SecureIX.com ***
*** Encrypt your Internet usage with a free VPN account from http://www.SecureIX.com ***

 

This seems to be a bug to me as there is no stated restriction
mentioned in the VPN client docs.

Have you opened a case with the Cisco TAC?

 

BTW how many users is the PIX licensed for ?

 

We have no support contract on this unit, so no we have not raised a
TAC case.

Hence the approach to the "world".

 

We have a UR bundle and therefor have no limit on users. On average, we
have about 80 VPN tunnels open at any one time.

 

Is there consistency to which 50 routes are received by the VPN clients
?

for example, does each VPN clientt get the same 50 routes or is it
random ?

 

Each client gets the same routes. They are the first 50 of those
defined in the PIX configuration access-list lines. The 51st and
subsequent entries defined in the PIX are ignored. Either, they are not
being sent by the PIX or the client fills up some internal table and
stops arfter the first 50 received.

Regards,
Kelvin.