Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Site to Site VPN issues

Status
Not open for further replies.

dano1979

IS-IT--Management
Jan 12, 2006
22
US
Hello all,

I'm trying to figure out a problem we're having with 2 sites. These are the only 2 sites connected via vpn site 2 site. The host location has a PIX515(T1) and both remote locations have 501's(1 DSL and 1 Cable). It doesn't appear to be a time out issue as the users are abruptly disconnected at both sites at the same time while keeping the connection active. Unfortunately, we have an old IBM mainframe, users use a telnet client to connect. So they know when the connection drops because there sessions close and then my phone rings. It's backup in less than 10 seconds. Any thoughts? I do have keepalive set at all locations.

Thanks,
Dan
 
You said both sites drop at exaclty the same time? Well you could do some poking around in the pix. Do you have a syslog server? or at least logging to buffer on the pix? Check the logs and see what is happening at the time the connections dies. If it is necessary to do debugging you will be able to see if a reset packet is being sent. Another thought is the server. Is the server dropping these connections ? Is there anything in the logs on the server? May have to increase the xlate and connection timeouts on the pix.
 
Yes, both sites same time.

I do have a syslog server and i'm using Firegen to pull out any relevant information, which hasn't been much. I'll note today what shows up if it happens.

I'm quite certain the telnet daemon does not have a timeout period set as all of our users at the host location are also connected to this box and they are not getting disconnected.

Would you like to see what my current xlate and connection timeouts are set to?

Thanks for any help!
Dano
 
Yes show your timeouts. I have had this problem before and had to increse them.
 
timeout xlate 0:30:00
timeout conn 0:50:00 half-closed 0:30:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute

Thanks!
 
I would increase your xlate and connection table to hours rather than minutes. If your employees work for 8 hours, try setting to 6 hours for both.


conf t
timeout xlate 6:00:00
timeout conn 6:00:00 half-closed 0:30:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
 
Thanks for the last reply.

Today it happened again and I found this in the log at the exact time it happened,

decaps: rec'd IPSEC packet has invalid spi for destaddr=vpn.Redlon-Johnson.com, prot=esp, spi=0x3d7851cc(1031295436), srcaddr=pool-70-16-65-202.port.east.verizon.net
 


Try increasing the SA lifetime:

isakmp policy (priotitynumber) lifetime 28800

That will keep the lifetime of the SA to 8 hours. That may be part of the problem. What is the lifetime on both sides? What OS Version are you running on all sites? Remember you will want to do the changes on all pixes.
 
On both sites and host site:

lifetime 86400

OS's

501's
Cisco PIX Firewall Version 6.3(4)103
Cisco PIX Firewall Version 6.3(5)

515
Cisco PIX Firewall Version 6.3(5)
 
Just thought I'd give an update to this.

Turns out our firewall had a "Field Notice" issued for an Ethernet Controller. Document ID 15905

The link was going up and down as indicated in syslog from our switch.

Thanks,
Dan
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top