CISCO PIX 6.3 VPN

[DAVIDME]

Hi

I have a Cisco PIX 6.3 515E in a site to site VPN with a Cisco ASA 5510 7.2 as well as a Cisco Remote VPN coming into the same outside interface on the PIX 6.3 eg a site to site VPN and remote access VPN coming into the PIX 515 E internet interface. My question / problem is that the LAN 2 LAN VPN appears to drop out I Think aftre a small certain period of time and does not come back up as when I do a show isakmp sa command it will show a VPN created as per below but a little later on it shows not created. Is there a problem with the PIX config or a something else? Eg when the PIX and ASA do a refresh / rekey on the VPN???See below for config minus sensitive stuff and the show isakmp sa output commands? I belive the config is correct for static site to site vpn and remote access VPN eg different polcies and same crypto map name for outside interface so I am not sure why it is happening? Any help appreciated muchly or any further info pls advise



CONFIG ON PIX 515e 6.3

crypto ipsec transform-set vpn esp-3des esp-md5-hmac
crypto ipsec transform-set remote esp-3des esp-md5-hmac
crypto dynamic-map dynmap 70 set transform-set remote
crypto map china 1 ipsec-isakmp
crypto map china 1 match address 120
crypto map china 1 set peer x.x.x.x (ASA IP Address)
crypto map china 1 set transform-set vpn
crypto map china 70 ipsec-isakmp dynamic dynmap
crypto map china interface internet
isakmp enable internet
isakmp key ******** address x.x.x.x netmask x.x.x.x (ASA 5510 IP)
isakmp identity address
isakmp keepalive 15
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
isakmp policy 70 authentication pre-share
isakmp policy 70 encryption 3des
isakmp policy 70 hash md5
isakmp policy 70 group 2
isakmp policy 70 lifetime 86400

SHOW ISAMP SA OUTPUT

PIX 515 E Output

pix# sh isakmp sa
Total : 2
Embryonic : 0
dst src state pending created
x.x.x.x x.x.x.x QM_IDLE 0 1 (REMOTE CISCO VPN)
x.x.x.x x.x.x.x QM_IDLE 0 0 (CISCO LAN 2 LAN VPN) PIX OUTSIDE AND ASA OUSIDE ADDRESS showing 0 created


ASA 5510

Show isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

IKE Peer: x.x.x.x (PIX Ouside address)
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

 

[DAVIDME]

Also Just a thought with the the LAN 2 LAN VPN with the PIX and ASA I have rebooted the PIX and when I have a done a show isakmp sa command it shows as below example 1 . aftre 10 minutes or so aftre that I do a another show isakmp sa and teh outout from that also. Is it a case of that the tunnel is created and after 10 minutes goes idle ???

EXAMPLE 1
pix01# show isakmp sa
Total : 1
Embryonic : 0
dst src state pending created xxx.x.xxx.x xxx.xx.xx.x QM_IDLE 0 1

EXAMPLE 2 ( AFTER 10 MINS FROM REBOOT)
pix01# show isakmp sa
Total : 1
Embryonic : 0
dst src state pending created xxx.x.xxx.x xxx.xx.xx.x QM_IDLE 0 0

 

[sigideba]

Hi Davidme,

I noticed that your lifetime on isakmp policy 1 seems rather low (1000 seconds?) I'm not sure which policy the tunnel is using but you definitly want the isakmp lifetimes to match.

I don't see why you'd want to negotiate isakmp so often. What DH group is the ASA using? Given that the sequence number and isakmp policy numbers line up it looks like you'll be using isakmp policy 1.

Can you do a show isakmp sa detail? If the isakmp policies are using different timeouts that likely what's causing the issues you're seeing. Without having any of the ASA's settings it'll be difficult to troubleshoot without some debugging output.

Can you provide the isakmp policies from the ASA?

 

[DAVIDME]

Hi
SHOW ISAKMP SA DETAIL FROM PIX 515E OUTOUT BELOW

Total : 2
Embryonic : 0

Local Remote Encr Hash Auth State Lifetime (REMOTEVPN
x.x. 3des md5 psk QM_IDLE 476

Local Remote Encr Hash Auth State Lifetime (L2LVPN)
x.x x.x. 3des md5 psk QM_IDLE 575

ASA 5510 ISAKMP SETTINGS (X.X.X.X) is the PIX 515E IP address)

crypto ipsec transform-set vpn esp-3des esp-md5-hm
crypto map china 1 match address accesslist
crypto map china 1 set peer x.x.x.x
crypto map china 1 set transform-set vpn
crypto map china interface outside
isakmp identity address
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 15 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 15 retry 2
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2

 

[DAVIDME]

Hi sigideba , Thanks for your help

THIS IS THE OUTPUT FROM THE ASA 5510 SHOWISAKMP SA DETAIL, which looks like it is up the lan2lan VPN so I am bit confued by it really now ....

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: xx.xx.xx.xx (CPIX515E IP)
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Encrypt : 3des Hash : MD5
Auth : preshared Lifetime: 1000
Lifetime Remaining: 894