VPN tunnel Keeps going down

[TheStressFactor]

Hello all..for some reason one of my vpn tunnels seems to go down every few hours. It is connected to a Wacthguard firebox on the other end. Our other tunnel is set up the same exact way and seems very solid...we never have problems with it.

Can anyone take a look at my config and see if they can find what may be causing the tunnel to go down every few hours? It is the tunnel for isakmp policy 10 and testmap10.

Thank you so much.

PIX Version 6.3(1)
interface ethernet0 100basetx
interface ethernet1 100basetx
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password encrypted
passwd encrypted
hostname mypix
domain-name mydomain.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list nonat permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.77.0 255.255.255.0

access-list nonat permit ip 192.168.5.0 255.255.255.0 192.168.77.0 255.255.255.0

access-list nonat permit ip 192.168.4.0 255.255.255.0 192.168.77.0 255.255.255.0

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0

access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.77.0 255.255.255.0

access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list nonat permit ip 192.168.5.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list nonat permit ip 192.168.4.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list nonat permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.192
access-list nonat permit ip 192.168.5.0 255.255.255.0 10.1.1.0 255.255.255.192

access-list tunnel permit ip 192.168.3.0 255.255.255.0 192.168.77.0 255.255.255.
0
access-list tunnel permit ip 192.168.5.0 255.255.255.0 192.168.77.0 255.255.255.
0
access-list tunnel permit ip 192.168.4.0 255.255.255.0 192.168.77.0 255.255.255.
0
access-list tunnel permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.
0
access-list tunnel permit ip 192.168.0.0 255.255.255.0 192.168.77.0 255.255.255.
0
access-list outside permit tcp any host x.x.x.x eq smtp
access-list outside permit tcp any host x.x.x.x eq https

access-list GRIFFIN permit ip 192.168.3.0 255.255.255.0 192.168.20.0 255.255.255
.0
access-list GRIFFIN permit ip 192.168.5.0 255.255.255.0 192.168.20.0 255.255.255
.0
access-list GRIFFIN permit ip 192.168.4.0 255.255.255.0 192.168.20.0 255.255.255
.0
access-list GRIFFIN permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255
.0
access-list GRIFFIN permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255
.0
pager lines 24
logging on
logging timestamp
logging host inside 192.168.3.44 6/1470
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside x.x.x.x 255.255.255.240
ip address inside 192.168.3.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.1.1.1-10.1.1.50
pdm location 192.168.0.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.3.2 255.255.255.255 inside
pdm location 192.168.3.4 255.255.255.255 inside
pdm location 192.168.3.7 255.255.255.255 inside
pdm location 192.168.3.9 255.255.255.255 inside
pdm location 192.168.3.44 255.255.255.255 inside
pdm location 192.168.4.0 255.255.255.0 inside
pdm location 192.168.5.0 255.255.255.0 inside
pdm location 10.1.1.0 255.255.255.0 outside
pdm location 192.168.20.0 255.255.255.0 outside
pdm location 192.168.77.0 255.255.255.0 outside
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
nat (inside) 1 192.168.4.0 255.255.255.0 0 0
nat (inside) 1 192.168.5.0 255.255.255.0 0 0
static (inside,outside) tcp x.x.x.x https 192.168.3.4 https netmask 255.25
5.255.255 0 0
static (inside,outside) tcp x.x.x.x smtp 192.168.3.2 smtp netmask 255.255.
255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 192.168.0.0 255.255.255.0 192.168.3.6 1
route inside 192.168.1.0 255.255.255.0 192.168.3.6 1
route inside 192.168.4.0 255.255.255.0 192.168.3.6 1
route inside 192.168.5.0 255.255.255.0 192.168.3.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.168.3.x timeout 10
url-server (inside) vendor websense host 192.168.3.9 timeout 5 protocol TCP vers
ion 4
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.3.44 images
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set pixtransform esp-3des esp-sha-hmac
crypto ipsec transform-set marinohome esp-des esp-md5-hmac
crypto ipsec transform-set GRIFFIN esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set marinohome
crypto map testmap 10 ipsec-isakmp
crypto map testmap 10 match address tunnel
crypto map testmap 10 set peer x.x.x.x
crypto map testmap 10 set transform-set pixtransform
crypto map testmap 10 set security-association lifetime seconds 3600 kilobytes 8
192
crypto map testmap 20 ipsec-isakmp
crypto map testmap 20 match address GRIFFIN
crypto map testmap 20 set peer x.x.x.x
crypto map testmap 20 set transform-set GRIFFIN
crypto map testmap 20 set security-association lifetime seconds 3600 kilobytes 8
192
crypto map testmap 999 ipsec-isakmp dynamic dynmap
crypto map testmap interface outside
crypto map marinohome 10 ipsec-isakmp dynamic dynmap
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.0.0.0
isakmp key ******** address x.x.x.x netmask 255.255.255.248
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup address-pool ippool
vpngroup dns-server 192.168.3.7
vpngroup wins-server 192.168.3.7
vpngroup default-domain mydomain
vpngroup split-tunnel split
vpngroup idle-time 2000
vpngroup authentication-server partnerauth
vpngroup user-authentication
vpngroup device-pass-through
vpngroup password
telnet 192.168.3.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
url-block url-mempool 1500
url-block url-size 4
terminal width 80
Cryptochecksum:e297a2552067e04dbca04eab435bec0e
: end

 

[EddieVenus]

First off what do you mean it goes down? that is a broad statement of fact. The lifetime is set to 6 hours, so it will rekey then. It will drop some TCP connects at that point as well. It is also set to 8megs of transfer before rekey. That is mere seconds on most intenet pipes I work with. Try upping those times. 86400 seconds and a really high number of kB is better, but not required. In fact unless it is just a TCP connection that you are basing this on this idea will not much help at all. In fact I just do not even use that line at all, and leave it default, whatever that is.

Also make sure that it is using the correct tunnel, do a show ipsec sa command when the 2 tunnels are up. you should see a tunnel for every line of the access-list for each crypto map, so 10 tunnels. Look to see that some are using the crypto map testmap 10 map, and not the dynamic map. Also another way to see if the dynamic map is in use is to issue a show access-list and look for dynamic access-lists that have the same information as the tunnel access-list has.

The other stuff looks fine. except this
access-list nonat permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.192
access-list nonat permit ip 192.168.5.0 255.255.255.0 10.1.1.0 255.255.255.192
and this together
access-list nonat permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.77.0 255.255.255.0
this is a no no. You are using the same Subnet with different overlapping masks. This may not be realated, and infact may not even be causing a problem assuming you are not getting overlapping IPs, but it is still a no no.

But we would like to know what exactly you mean by it goes down? Does it go down and not come back? Is it a regular interval? i.e 6 hours? Is it daily perhaps at a certain time? is it related to a certain host, or application on your network? Is the pipe full to the limit just before dropping out? How do you know it is going down? What indication to you get that it is down? Is there a specific host that you use on the remote lan to moniter whether it is up? Does you internet connection drop at the same time? Does the internet connection of the other end drop when the tunnel goes down? Can you create a stable tunnel to the Firebox from anywhere else? Can you perhaps make a tunnel between the 2 fireboxes and test the reliablity of the Firebox in question?

Answer those questions for yourself and you may find the answer to your original question. If not perhaps someone here can find it within the answers to some of those questions. Just from your config file I do not see why it is not working, but then again it is rarely the config that is fully to blame in these cases.

Good luck
Eddie Venus

 

[yizhar]

HI.

Your problem could be related to mismatched timeout values as "EddieVenus" wrote.
Try to list all the timeout values for each device and compare them - check also for default values not shown in the config.

Some comments about your config:
> isakmp key ******** address x.x.x.x netmask 255.0.0.0
> isakmp key ******** address x.x.x.x netmask 255.255.255.248
Normally, the subnet mask for the "isakmp key" command should be 255.255.255.255 because you are specifing a single IP address of the remote peer.

Now, try also to add the "no-xauth" parameter to the "isakmp key" command.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#1027312

I don't think that these changes will fix the problem, but you can still try them.
Try also to remove the VPN client configuration just to make sure that it is not related to your problem.

Remember that troubleshooting the VPN should be done for both peers - so the problem could be at the Wacthguard firebox.
One way to test is to establish a different tunnel from another pix at another location (for example a lab if you have one) and see how it goes.

Try keeping the tunnel active by periodicly pinging accross it - does it change anything?




Yizhar Hurwitz

http://teachers.sivan.co.il/yizhar