I have a PIX 501 at a remote site with two VPN connections back to the home office. After inactivity on the VPN both connections will timeout. The problem is I cannot wake the connection from the home office side. If I have them initiate a ping back to the home office I can than talk to the remote network. Is there a way to stop the time out or setup the VPN to wake when a connection to that network is attempted? Any help would be appreciated.
Thanks
Do the 501's have dynamic IP addresses? Or, is the home office configured to expect them in via a crypto dynamic map? You cannot wake the tunnel from the home office unless they have a static IP as far as the home office is concerned.
You can increase the lifetimes:
isakmp policy POLICYNUMBER lifetime TIMEINSECONDS crypto ipsec security-association lifetime seconds TIMEINSECONDS
However, if the connection were to drop for some reason, then this won't help recover the connection. In particular, if the connection drops because the hosts have dynamic IPs and the ISP changed the IP out from underneath them, then there isn't much you can do about it on the PIX. At times like that, it's useful to subscribe to dyndns.com .
The client locations have static IP's.
Here is what the home office config looks like.
... ... access-list NoNat permit ip 192.168.50.0 255.255.255.0 10.0.39.0
255.255.255.0 access-list NoNat permit ip 192.168.50.0 255.255.255.0 10.0.40.0 255.255.255.0 ... ... access-list Connect_HOSTNAME permit ip 192.168.50.0 255.255.255.0 10.0.39.0 255.255.255.0 access-list Connect_HOSTNAME permit ip 192.168.50.0 255.255.255.0 10.0.40.0 255.255.255.0 ... ... crypto map Main_Combined 39 ipsec-isakmp crypto map Main_Combined 39 match address Connect_HOSTNAME crypto map Main_Combined 39 set peer OUTSIDE STATIC IP crypto map Main_Combined 39 set transform-set ESP-AES-MD5 crypto map Main_Combined 40 ipsec-isakmp crypto map Main_Combined 40 match address Connect_HOSTNAME crypto map Main_Combined 40 set peer OUTSIDE STATIC IP crypto map Main_Combined 40 set transform-set ESP-AES-MD5 ... ... isakmp key ******** address OUTSIDE STATIC IP netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address OUTSIDE STATIC IP netmask 255.255.255.255 no-xauth no-config-mode ... ...Am I missing anything? I have configured a few other VPNs in the past month and seem to have the same problem with them untill I redo the crypto map on the home office PIX. Is there an order that I need to be doing this in? Should I not configure the home office PIX untill the remote PIX is installed?
Thanks for your help.
That part is okay.
Possibly you have just over-obscured, but you need that as two different ACLS:
access-list Connect_HOST39 permit ip 192.168.50.0 255.255.255.0 10.0.39.0
255.255.255.0 access-list Connect_HOST40 permit ip 192.168.50.0 255.255.255.0 10.0.40.0 255.255.255.0crypto map Main_Combined 39 match address Connect_HOST39
crypto map Main_Combined 39 set peer HOST39STATICIP
crypto map Main_Combined 40 match address Connect_HOST40
crypto map Main_Combined 40 set peer HOST40STATICIP
The default isakmp lifetime is relatively short, and effectively the shorter lifetime (of the home office or the remote system) is the one used.
Sorry I did over obscure that information they are unique. I went back into the PDM and removed the old VPN settings and set them back up and it works fine now. I would love to just leave it like that and call it a day however the powers that be want to keep a naming convention. Is there a way to change the outside_cryptomap_40 id in:
access-list outside_cryptomap_40 permit ip 192.168.50.0 255.255.255.0
10.0.39.0 255.255.255.0And in the associated crypto map?
I am not sure why when I do it threw the console or and ssh session I am having this problem. Have you or anyone else run into this? Like I said as soon as I redo the VPN I can reestablish the connection from the home office.
clear xlate clear crypto sa
If you change the crypto match access lists then you need to clear the SA (security associations) or else it doesn't pick up the change.
There's a way to do it going through several changes of crypto maps (build new with new name B, activate new one B, remove old one A, build new one with old name A, activate old one A, remove new one B) but it's a pain. It's a lot easier if you can spare a few second downtime while you clear the old ACLs and crypto map and tftp in the versions that you really want.
And I assume that when I make the changes in the PDM it runs those commands?!?!
If that is the case that explains it.
Thank you very much!!! You have helped me out before on another issue I was having. I appreciate your patience. I am a newb with Cisco and it is nice to know there are people out there that are willing to lend a hand. Thank you again.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.