PIX VPN tunnel 0 bytes TX!|
|
|
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||||||||
|
Posted by XaBi on July 28, 2006, 4:40 am
Please log in for more thread options
PIX 515E with release 7.1. I have lan to lan vpn (3DES-MD5). It works perfect but if I have a disconnect by timeout or shutdown from the other side; sometimes I see that in the VPN tunnel the TX bytes is in 0. Mean while I can see the RX counters incrementing. The tunnel its perfectly established; phase 1 and phase 2 without errors nor warnings. But in ASDM, while monitoring the VPN, the TX bytes stay at 0 and the RX increment ok. any ideas. Im thinking about a bug in this PIX release :( | ||||||||||||||||
|
Posted by Lutz Donnerhacke on July 28, 2006, 4:54 am
Please log in for more thread options Are both IPSec SAs available? It looks like the classic blackhole effect. | ||||||||||||||||
|
Posted by XaBi on July 28, 2006, 4:59 am
Please log in for more thread options
Lutz Donnerhacke wrote: > * XaBi wrote:
> > PIX 515E with release 7.1. I have lan to lan vpn (3DES-MD5). It works
> > perfect but if I have a disconnect by timeout or shutdown from the > > other side; sometimes I see that in the VPN tunnel the TX bytes is in > > 0. Mean while I can see the RX counters incrementing. > > > > The tunnel its perfectly established; phase 1 and phase 2 without > > errors nor warnings. >
> Are both IPSec SAs available? It looks like the classic blackhole effect. Yes, they are available; I have phase 1 and phase 2 completed. whats the blackhole effect? thanks | ||||||||||||||||
|
Posted by Lutz Donnerhacke on July 28, 2006, 5:26 am
Please log in for more thread options * XaBi wrote:
> Lutz Donnerhacke wrote:
>> Are both IPSec SAs available? It looks like the classic blackhole effect.
>
> Yes, they are available; I have phase 1 and phase 2 completed. Does "show crypto ipsec sa" report two active SAs? > whats the blackhole effect?
The data channels of IPSec are on-way, that's why there are at least two. If the receiver side forget the SA, the received data is silently dropped (as required by the standard). There is not way to determine this loss of data than looking on the SAs on both sides. Usually this effect does not occur, because the control channel (phase 1) is used to inform the other side about the drop of any SA. Unfortunly the control channel is vulnerable to loss of packets ... | ||||||||||||||||
|
Posted by XaBi on July 28, 2006, 6:06 am
Please log in for more thread options hi!
here is the output of the ipsec sa; look at the encapsulation counters as 0; thats the 0 bytes TX. (removed the public peer ip with *.*.*.*): Crypto map tag: VPNmap, seq num: 130, local addr: EXTMARMEDSA access-list extranet_cryptomap_130 permit ip 10.0.0.0 255.0.0.0 INTSANTANDER 255.255.0.0 local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0) remote ident (addr/mask/prot/port): (INTSANTANDER/255.255.0.0/0/0) current_peer: 88.2.173.40 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 678, #pkts decrypt: 678, #pkts verify: 678 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: EXTMARMEDSA, remote crypto endpt.: *.*.*.* path mtu 1500, ipsec overhead 60, media mtu 1500 current outbound spi: A4D3C26E inbound esp sas: spi: 0x58F18B77 (1492224887) transform: esp-3des esp-md5-hmac in use settings ={L2L, Tunnel, } slot: 0, conn_id: 29, crypto-map: VPNmap sa timing: remaining key lifetime (kB/sec): (4274937/24199) IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0xA4D3C26E (2765341294) transform: esp-3des esp-md5-hmac in use settings ={L2L, Tunnel, } slot: 0, conn_id: 29, crypto-map: VPNmap sa timing: remaining key lifetime (kB/sec): (4275000/24199) IV size: 8 bytes replay detection support: Y thank you Lutz Donnerhacke wrote: > * XaBi wrote:
> > Lutz Donnerhacke wrote:
> >> Are both IPSec SAs available? It looks like the classic blackhole effect.
> >
> > Yes, they are available; I have phase 1 and phase 2 completed. >
> Does "show crypto ipsec sa" report two active SAs? > > > whats the blackhole effect?
>
> The data channels of IPSec are on-way, that's why there are at least two. > If the receiver side forget the SA, the received data is silently dropped > (as required by the standard). There is not way to determine this loss of > data than looking on the SAs on both sides. > > Usually this effect does not occur, because the control channel (phase 1) is > used to inform the other side about the drop of any SA. Unfortunly the > control channel is vulnerable to loss of packets ... | ||||||||||||||||
| Similar Threads | Posted |
| PIX VPN tunnel 0 bytes TX! | July 28, 2006, 4:40 am |
| Ratio of Bytes Delayed to Bytes Sent | December 21, 2005, 3:08 pm |
| Convert bytes to MB on cisco router | March 29, 2006, 3:59 pm |
| Input & Output bytes question | April 23, 2007, 8:24 pm |
| Priority Queue - Bytes, Kilobits Etc | October 8, 2007, 12:16 pm |
| MTU less than 1500 bytes on Cisco layer 3 switch | October 25, 2005, 7:18 am |
| Cant Ping with packets with MTU larger than 1518 Bytes | May 24, 2009, 12:32 am |
| Cisco 851/%SYS-2-MALLOCFAIL: Memory allocation of 65536 bytes failed | December 26, 2008, 10:28 am |
| GRE Tunnel up/up Cannot ping tunnel interface | March 6, 2006, 3:55 pm |
| VPN tunnel | July 25, 2005, 8:10 pm |
| GRE Tunnel - one way ? | September 30, 2005, 6:39 am |
| Best MTU value for our VPN tunnel | October 11, 2005, 10:39 pm |
| NAT-T + VPN Tunnel | November 6, 2005, 4:06 am |
| 515 & 501 VPN Tunnel Help | April 4, 2006, 12:47 pm |
| GRE Tunnel | November 21, 2005, 8:38 pm |
|
Home Cabling GuideFinally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language! Learn More |
> perfect but if I have a disconnect by timeout or shutdown from the
> other side; sometimes I see that in the VPN tunnel the TX bytes is in
> 0. Mean while I can see the RX counters incrementing.
>
> The tunnel its perfectly established; phase 1 and phase 2 without
> errors nor warnings.