PIX 515e & Cisco VPN client. Split-tunnel limit of 50?

Discussion in 'Cisco' started by kelvin.hill, Feb 7, 2006.

  1. kelvin.hill

    kelvin.hill Guest

    Hi all,
    I am using a PIX 515e running 6.3(5) and windows/linux vpn clients
    4.7 and 4.8.

    I have a very simplke requirement. I need to have a lot more
    split-tunnels defined than usual as I am dealing with a worldwide
    corporate internal network. Within this network, there are 400+
    discrete "internal" subnets which are being passed to the pix by OSPF.
    I need the clients to be able to get to all these internal networks but
    still have external internet access at the same time.

    I am NOT interested in the security implkications of this but need a
    technical solution to the problem.

    I can define them in the PIX but only the first 50 are pushed to the
    vpn client.

    Does anyone have a solution for this?

    kelvin.hill, Feb 7, 2006
    1. Advertisements

  2. kelvin.hill

    J Guest

    Can you give us an example of the subnets in question? Frankly I'd
    summarize the routes. For example if all your internal routes were
    under and then I'd summarize the routes and
    hand 2 /16s to the VPN user. If your subnets are more spread out than
    that, then I'd was venture to say that you have a serious IP
    organization problem and you need to clean up your IP addressing

    J, Feb 8, 2006
    1. Advertisements

  3. kelvin.hill

    kelvin.hill Guest

    I don't disagree. The IP allocation has been built up over many years
    across many countries, each with thier own MIS teams. We have been
    Internet users almost before there was an Internet...

    However, we do have a problem as described in my first post and for now
    I have to work within that, hence the request for the expertise of
    those who populate this newsgroup.

    I have done route summarisation using a program I wrote to parse the
    routing tables. However, even with the most aggressive summarisation I
    can only reduce it to 117 route table entries. This obviously still
    leaves me with a problem when someone on the end of a VPN link informs
    me that they can't get to some little used server in Brazil for

    I can and have tried to do a "maximum hit rate" selection of routes to
    accomodate the majority of users but I need to try and handle 100% of
    my clients.

    Any geniuses out there?

    kelvin.hill, Feb 8, 2006
  4. Anyone?
    *** Free account sponsored by SecureIX.com ***
    *** Encrypt your Internet usage with a free VPN account from http://www.SecureIX.com ***
    Kelvin J. Hill, Feb 12, 2006
  5. kelvin.hill

    Merv Guest

    What does the output of "vpnclient stat route " on one of the Linux
    boxes show?
    Merv, Feb 13, 2006
  6. 50 route entries. All the excess never show up on the linux or windows
    clients display.
    *** Free account sponsored by SecureIX.com ***
    *** Encrypt your Internet usage with a free VPN account from http://www.SecureIX.com ***
    Kelvin J. Hill, Feb 13, 2006
  7. kelvin.hill

    Merv Guest

    This seems to be a bug to me as there is no stated restriction
    mentioned in the VPN client docs.

    Have you opened a case with the Cisco TAC?
    Merv, Feb 13, 2006
  8. kelvin.hill

    Merv Guest

    BTW how many users is the PIX licensed for ?
    Merv, Feb 13, 2006
  9. kelvin.hill

    kelvin.hill Guest

    We have no support contract on this unit, so no we have not raised a
    TAC case.

    Hence the approach to the "world".
    kelvin.hill, Feb 14, 2006
  10. kelvin.hill

    kelvin.hill Guest

    We have a UR bundle and therefor have no limit on users. On average, we
    have about 80 VPN tunnels open at any one time.
    kelvin.hill, Feb 14, 2006
  11. kelvin.hill

    Merv Guest

    Is there consistency to which 50 routes are received by the VPN clients

    for example, does each VPN clientt get the same 50 routes or is it
    random ?
    Merv, Feb 14, 2006
  12. kelvin.hill

    kelvin.hill Guest

    Each client gets the same routes. They are the first 50 of those
    defined in the PIX configuration access-list lines. The 51st and
    subsequent entries defined in the PIX are ignored. Either, they are not
    being sent by the PIX or the client fills up some internal table and
    stops arfter the first 50 received.

    kelvin.hill, Feb 15, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.