pix ipsec tunnels problem

Discussion in 'Cisco' started by no, Jul 24, 2005.

  1. no

    no Guest

    I have problems with ipsec tunnels on pix 525 7.0. For some time everything
    is ok and then tunnels a messed up. when I go to monitor and then VPN and
    then look list of lan to lan tunnels, I can see that rx bytes is
    incrementing as remote location is sending data but tx is zero. Only
    firewall restart helps. Any ideas? I'v tried everything, changeing from
    dynamic map to static, I've tried with upgrades, now I am on 7.0(2). Here
    is the part of config, I am using 3600 sec timeouts on peer side







    access-list intf2_x.x.ccryptomap_dyn_1000 extended permit ip any x.x.c.88
    255.255.255.248
    access-list intf2_x.x.ccryptomap_dyn_1000 extended permit ip any x.x.c.72
    255.255.255.248
    access-list intf2_x.x.ccryptomap_dyn_1000 extended permit ip any x.x.c.24
    255.255.255.248
    access-list intf2_x.x.ccryptomap_dyn_1000 extended permit ip any x.x.c.32
    255.255.255.248
    access-list intf2_x.x.ccryptomap_dyn_1000 extended permit ip any x.x.c.216
    255.255.255.248
    access-list intf2_x.x.ccryptomap_dyn_1000 extended permit ip any x.x.b.16

    255.255.255.248
    access-list intf2_x.x.ccryptomap_dyn_1000 extended permit ip any x.x.b.24

    255.255.255.248
    access-list intf2_x.x.ccryptomap_dyn_1000 extended permit ip any x.x.b.64

    255.255.255.248
    access-list intf2_x.x.ccryptomap_dyn_1000 extended permit ip any x.x.b.80

    255.255.255.248




    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute


    group-policy DfltGrpPolicy attributes
    banner none
    wins-server none
    dns-server none
    dhcp-network-scope none
    vpn-access-hours none
    vpn-simultaneous-logins 3
    vpn-idle-timeout 3
    vpn-session-timeout none
    vpn-filter none
    vpn-tunnel-protocol IPSec
    password-storage disable
    ip-comp disable
    re-xauth disable
    group-lock none
    pfs disable
    ipsec-udp disable
    ipsec-udp-port 10000
    split-tunnel-policy tunnelall
    split-tunnel-network-list none
    default-domain none
    split-dns none
    secure-unit-authentication disable
    user-authentication disable
    user-authentication-idle-timeout 30
    ip-phone-bypass disable
    leap-bypass disable
    nem disable
    backup-servers keep-client-config
    client-firewall none
    client-access-rule none


    vpn-sessiondb max-session-limit 200

    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto dynamic-map intf2_vip_cdyn_map 1000 match address
    intf2_vip_ccryptomap_dyn_1000
    crypto dynamic-map intf2_vip_cdyn_map 1000 set transform-set ESP-3DES-SHA
    ESP-DES-MD5
    crypto dynamic-map intf2_vip_cdyn_map 1000 set security-association
    lifetime kilobytes

    2147483647
    crypto dynamic-map intf2_vip_cdyn_map 1000 set nat-t-disable

    crypto map intf2_vip_cmap 65535 ipsec-isakmp dynamic intf2_vip_cdyn_map
    crypto map intf2_vip_cmap interface intf2_vip


    isakmp enable intf2_vip
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 28800
    isakmp disconnect-notify

    tunnel-group DefaultL2LGroup type ipsec-l2l
    tunnel-group DefaultL2LGroup ipsec-attributes
    trust-point kevin.erste.hr
    tunnel-group DefaultRAGroup type ipsec-ra
    tunnel-group DefaultRAGroup ipsec-attributes
    trust-point kevin.erste.hr
    tunnel-group x.x.251.1 type ipsec-l2l
    tunnel-group x.x.251.1 ipsec-attributes
    pre-shared-key *
    tunnel-group x.x.251.2 type ipsec-l2l
    tunnel-group x.x.251.2 ipsec-attributes
    pre-shared-key *
    isakmp keepalive disable
    tunnel-group x.x.251.3 type ipsec-l2l
    tunnel-group x.x.251.3 ipsec-attributes
    pre-shared-key *
    isakmp keepalive disable
    tunnel-group x.x.251.4 type ipsec-l2l
    tunnel-group x.x.251.4 ipsec-attributes
    pre-shared-key *
    isakmp keepalive disable
    tunnel-group x.x.251.5 type ipsec-l2l
    tunnel-group x.x.251.5 ipsec-attributes
    pre-shared-key *
    isakmp keepalive disable
    tunnel-group x.x.250.1 type ipsec-l2l
    tunnel-group x.x.250.1 ipsec-attributes
    pre-shared-key *
    isakmp keepalive disable
    tunnel-group x.x.250.2 type ipsec-l2l
    tunnel-group x.x.250.2 ipsec-attributes
    pre-shared-key *
    isakmp keepalive disable
    tunnel-group x.x.250.3 type ipsec-l2l
    tunnel-group x.x.250.3 ipsec-attributes
    pre-shared-key *
    isakmp keepalive disable
    tunnel-group x.x.250.4 type ipsec-l2l
    tunnel-group x.x.250.4 ipsec-attributes
    pre-shared-key *
    isakmp keepalive disable
    tunnel-group x.x.250.6 type ipsec-l2l
    tunnel-group x.x.250.6 ipsec-attributes
    pre-shared-key *
    isakmp keepalive disable
    tunnel-group x.x.250.7 type ipsec-l2l
    tunnel-group x.x.250.7 ipsec-attributes
    pre-shared-key *
    isakmp keepalive disable
    tunnel-group x.x.250.8 type ipsec-l2l
    tunnel-group x.x.250.8 ipsec-attributes
    pre-shared-key *
    isakmp keepalive disable
    tunnel-group x.x.250.9 type ipsec-l2l
    tunnel-group x.x.250.9 ipsec-attributes
    pre-shared-key *
    isakmp keepalive disable
    tunnel-group x.x.250.10 type ipsec-l2l
    tunnel-group x.x.250.10 ipsec-attributes
    pre-shared-key *
    isakmp keepalive disable
    tunnel-group x.x.250.11 type ipsec-l2l
    tunnel-group x.x.250.11 ipsec-attributes
    pre-shared-key *
    isakmp keepalive disable
    tunnel-group x.x.250.12 type ipsec-l2l
    tunnel-group x.x.250.12 ipsec-attributes
    pre-shared-key *
    isakmp keepalive disable
    tunnel-group x.x.250.13 type ipsec-l2l
    tunnel-group x.x.250.13 ipsec-attributes
    pre-shared-key *
    isakmp keepalive disable
    tunnel-group x.x.250.14 type ipsec-l2l
    tunnel-group x.x.250.14 ipsec-attributes
    pre-shared-key *
    isakmp keepalive disable
    tunnel-group x.x.250.15 type ipsec-l2l
    tunnel-group x.x.250.15 ipsec-attributes
    pre-shared-key *
    isakmp keepalive disable
     
    no, Jul 24, 2005
    #1
    1. Advertisements

  2. no

    no Guest

    mybe I have a clue. On int where I receive VPN connections, ther is an
    access-list. In case of problems, there is a message that UDP 500 from peer
    ip to pix int ip UDP 500 is denied. After restart and tunnels
    reestablishment, there is no such message. Looks like PIX access-list stops
    working!!!!
     
    no, Jul 24, 2005
    #2
    1. Advertisements

  3. no

    Drx Guest

    it happened again, look at this

    Built inbound UDP connection 14580 for intf2_vip:x.x.250.13/500
    (x.x.250.13/500) to inside:x.x.254.5/500 (x.x.254.5/500)
    UDP access denied by ACL from x.x.250.13/500 to inside:x.x.254.5/500


    firs message seems ok, but then it starts. Is it possible that I hit some
    kind og limit of UDP connections?
     
    Drx, Jul 25, 2005
    #3
  4. no

    thejayman Guest

    Just a thought. What type of license do you have? Is there a limit on
    the number of IKE HOSTS you can have?
    A "show version" should answer the question.

    HTH's
    Jason
     
    thejayman, Jul 25, 2005
    #4
  5. no

    no Guest

    unlimited
     
    no, Jul 25, 2005
    #5
  6. no

    no Guest

    another thing I've noticed in logs is

    %PIX-3-313001: Denied ICMP type=11, code=0 from x.x.x.6 on interface
    inside

    few seconds after problems are starting. x.x.x.6 is router through which
    peers are connected to firewall
     
    no, Jul 26, 2005
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.