Trouble shooting PIX to PIX tunneling

[dennispelea]

I have configured pix to pix tunneling for three geographical location namely Gurgaon India, Philippines and New Jersey USA. My tunnel Between Gurgaon and Philippines is working fine and I never encounter any problem on it. However for my tunnel between Gurgaon and New Jersey, when there's no traffic flowing on it, the tunnel automatically shutdown.The tunnel never came up again unless after i issue "clear crypto isakmp sa" command to New Jersey Pix.

Is there a long term solution for this kind of problem so that we dont need to issue the same command to bring up the tunnel connection again.

Please tell me. Your help is greatly appreciated.

Thanks again
dennis

 

[dopehead]

Please post the crypto part of your configuration, just xxx out the ip address parts, peers and such.

Jan

 

[blackbug1319]

HI dennis,
How u doin.?.The problem that you are facing is a very common problem using vpn tunnels across local and remote pixes.You can always implement the keepalives on all the cisco pix.
Keepalives are kind of hello packets that keep on polling the remote party to see if the connection is idle or terminated once the interesting traffic is not passing through.
The command will be:
isakmp keepalive 10 2.
The 10 value will be for the time interval for each packets ten seconds to be precise.the value 2 is the retry interval in case the response is not received for the keepalive packet.
Secondly you need to verify if the isakmp policy security association lifetime and crypto ipsec security assocation lifetime are set to the maximum value.
Personally i believe that the isakmp keepalives should solve this problem.Do let me know if it does.

Blackbug

 

[dennispelea]

Hi Blackbug,

Thanks for your tips. I believe that your suggestion is the solution to my problem. However I am getting some problem on applying it to my pix firewall. Am getting this kind of error everytime I issue the command. Pls refferer below the error am getting everytime I apply the command you suggested to resolved my problem.

pixfirewall(config)# isakmp keeplive 10 2
type help or '?' for a list of available commands.

Looking forward to guide me on how to troubleshoot this kind of error.

Thank you very much for your time.

Regards,
Dennis

 

[dopehead]

You have entered the command wrong, it's not "keeplive 10 2" but "keepalive 10 2"

Jan

 

[dennispelea]

ooooppp!!! ostrich put their heads in the sand whenever they feel embarassed.

Thanks my friend. Its ok now.

regards,
Dennis

 

[dennispelea]

Hi Dopehead,

Sorry to inform you that the problem still persist. To give u detail pls refer to the email below.

when they disconnect for a period of time then reconnect again they can't access some of our network anymore , so what we are doing right now is to issue " clear crypto ipsec sa " command, after that they regain access to all our network.. is there some bug on Cisco PIX 515 coz we have 3 cisco PIX 515 , 2 are running on the same IOS and the 3rd is running on much higher version of IOS , and all are encountering the same problem with our VPN client.

regards,
Dennis

 

[blackbug1319]

HI dennis,
Few more things that might be of relevance:
a)Make sure that isakmp keepalives are specified on all the peers.Whether using fully mesh or hub and spoke the command needs to be in all the local and remote pix.Keepalives are symmetrical in nature.

b)You can set the iskamp lifetime and crypto ipsec security association lifetime to the maximum value.
The max value for isakmp ilfe time is 86400.Again it has to be symmetrical across all the configurations.

c) What codes are you implementing on the cisco pix boxes?