PIX 515e & Cisco VPN client. Split-tunnel limit of 50?

Hi all, I am using a PIX 515e running 6.3(5) and windows/linux vpn clients

4.7 and 4.8.

I have a very simplke requirement. I need to have a lot more split-tunnels defined than usual as I am dealing with a worldwide corporate internal network. Within this network, there are 400+ discrete "internal" subnets which are being passed to the pix by OSPF. I need the clients to be able to get to all these internal networks but still have external internet access at the same time.

I am NOT interested in the security implkications of this but need a technical solution to the problem.

I can define them in the PIX but only the first 50 are pushed to the vpn client.

Does anyone have a solution for this?

Thanks, K.

Reply to
kelvin.hill
Loading thread data ...

Can you give us an example of the subnets in question? Frankly I'd summarize the routes. For example if all your internal routes were under 10.1.0.0/16 and 10.50.0.0/16 then I'd summarize the routes and hand 2 /16s to the VPN user. If your subnets are more spread out than that, then I'd was venture to say that you have a serious IP organization problem and you need to clean up your IP addressing scheme.

J
Reply to
J

I don't disagree. The IP allocation has been built up over many years across many countries, each with thier own MIS teams. We have been Internet users almost before there was an Internet...

However, we do have a problem as described in my first post and for now I have to work within that, hence the request for the expertise of those who populate this newsgroup.

I have done route summarisation using a program I wrote to parse the routing tables. However, even with the most aggressive summarisation I can only reduce it to 117 route table entries. This obviously still leaves me with a problem when someone on the end of a VPN link informs me that they can't get to some little used server in Brazil for example.

I can and have tried to do a "maximum hit rate" selection of routes to accomodate the majority of users but I need to try and handle 100% of my clients.

Any geniuses out there?

K.

Reply to
kelvin.hill

Anyone? K.

*** Free account sponsored by SecureIX.com *** *** Encrypt your Internet usage with a free VPN account from
formatting link
***
Reply to
Kelvin J. Hill

What does the output of "vpnclient stat route " on one of the Linux boxes show?

Reply to
Merv

50 route entries. All the excess never show up on the linux or windows clients display. *** Free account sponsored by SecureIX.com *** *** Encrypt your Internet usage with a free VPN account from
formatting link
***
Reply to
Kelvin J. Hill

This seems to be a bug to me as there is no stated restriction mentioned in the VPN client docs.

Have you opened a case with the Cisco TAC?

Reply to
Merv

clients display.

BTW how many users is the PIX licensed for ?

Reply to
Merv

We have no support contract on this unit, so no we have not raised a TAC case.

Hence the approach to the "world".

Reply to
kelvin.hill

We have a UR bundle and therefor have no limit on users. On average, we have about 80 VPN tunnels open at any one time.

Reply to
kelvin.hill

Is there consistency to which 50 routes are received by the VPN clients ?

for example, does each VPN clientt get the same 50 routes or is it random ?

Reply to
Merv

Each client gets the same routes. They are the first 50 of those defined in the PIX configuration access-list lines. The 51st and subsequent entries defined in the PIX are ignored. Either, they are not being sent by the PIX or the client fills up some internal table and stops arfter the first 50 received.

Regards, Kelvin.

Reply to
kelvin.hill

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.