Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
PIX/VPN Tunnel Question
- Thread starter dm318
- Start date
- Thread starter
- #3
Yes. I'd have to search to see if its a timeout, or upon a connection request. I do know that there is some kind of time based maintenance (based upon watching the debug output of establishing IPSec tunnels)
You might start investigating using the "debug IPSEC" commands to troubleshoot.
You might start investigating using the "debug IPSEC" commands to troubleshoot.
HI.
I agree with "cchipman" - it could be a timeout configuration issue.
You should compare the configuration and the output of several "show crypto" commands and verify that all the timeouts match.
You can see here some sample of "debug" commands for VPN:
And here are some "show crypto" samples:
It could also be related to MTU.
You can test this with "ping -f -l NNNN" using different valuse for NNNN (in the range 500 to 1500).
The default MTU for Ethernet on your internal hosts is 1500. If this does not pass unfragmented via the VPN tunnel, you should consider configuring the servers (and maybe workstations) involved with VPN traffic to a lower value like 1400 or even lower.
It can also be a network issue (the Internet). Try unencrypted traffic when you have a problem. For example ping results to the other pix (or to the other router if the pix is configured to block ping).
Yizhar Hurwitz
I agree with "cchipman" - it could be a timeout configuration issue.
You should compare the configuration and the output of several "show crypto" commands and verify that all the timeouts match.
You can see here some sample of "debug" commands for VPN:
And here are some "show crypto" samples:
It could also be related to MTU.
You can test this with "ping -f -l NNNN" using different valuse for NNNN (in the range 500 to 1500).
The default MTU for Ethernet on your internal hosts is 1500. If this does not pass unfragmented via the VPN tunnel, you should consider configuring the servers (and maybe workstations) involved with VPN traffic to a lower value like 1400 or even lower.
It can also be a network issue (the Internet). Try unencrypted traffic when you have a problem. For example ping results to the other pix (or to the other router if the pix is configured to block ping).
Yizhar Hurwitz
- Thread starter
- #6
I have seen this behaviour with the PIX far more often than VPN Concentrators in the same situation. My conclusion is that the pix is slightly less robust when it comes to sustaining inactive tunnels. In testing downed vpn tunnels I did discover that pinging from the far side would always bring the tunnel back up.
My solution PIX to PIX is to use a keepalive IE: isakmp keepalive 10 10
In cases where the remote hardware does not have a keepalive function, I use task scheduler on a remote server to ping a local server every 10 mins.
Now my VPN tunnels rarely go down. I should point out that in several cases I really don't care if the tunnel drops out, since any network traffic from those locations to the PIX always reconnects the tunnel.
My solution PIX to PIX is to use a keepalive IE: isakmp keepalive 10 10
In cases where the remote hardware does not have a keepalive function, I use task scheduler on a remote server to ping a local server every 10 mins.
Now my VPN tunnels rarely go down. I should point out that in several cases I really don't care if the tunnel drops out, since any network traffic from those locations to the PIX always reconnects the tunnel.
- Status
Similar threads
- Locked
- Question
- Locked
- Question