I recently took over administration of a PIX 515E. I think I have a good understanding of networking and VPNs, however I've never dealt with Cisco devices before, so please forgive me if I use any incorrect terminology or ask any silly questions.
The problem we're having is that the PIX seems to drop connections that use more than a tiny bit of bandwidth. I have a workstation on a public network, and VPN to the PIX to access a private network. I believe that this is called "split tunneling."
When the VPN is connected, I can SSH to hosts on the private network. This works fine for simple command line sessions. However, when I try to copy files over SSH (using scp) to the hosts on the private network, the PIX drops the connection after transferring just a few kilobytes.
Since both the command line sessions and scp are running over the same port to the same host, the only difference I can see is that scp requires a lot more bandwidth. That is why I suspect that the PIX is dropping connections that use more than a tiny bit of bandwidth. When the connection is dropped, I see the following message in the PIX's log:
302015: Built inbound TCP connection 45281 for outside:10.100.3.116/54568 (10.100.3.116/54568) to inside: 10.100.14.2/22 (10.100.14.2/22) 110001: No route to 128.36.236.149 from 128.36.236.114In the above, 128.36.236.149 is my workstation, 128.36.236.114 is the public address of the PIX, 10.100.3.116 is the VPN address of my workstation, and 10.100.14.2 is the host on the private network that I am connecting to. Obviously there is a route between 128.36.236.149 and
128.36.236.114, otherwise the VPN wouldn't work at all. The "no route" message repeats itself several times.I have another issue that may or may not be related. There is a switch on the private network that uses a web interface for administration. When I am connected to the VPN, I can get to the login screen of the web interface of the switch, however as soon as I click "login", the PIX drops the TCP connection entirely. At that point, this message shows up in the PIX's log:
106015: Deny TCP (no connection) from 10.100.3.116/39576 to 10.100.14.200/80 flags PSH ACK on interface outside10.100.3.116 is my workstation's VPN IP, and 10.100.14.200 is the switch on the private network that I am trying to use the web interface of. Obviously if I can get to the login screen of the switch, I am able to access 10.100.14.200 port 80 from 10.100.3.116 without being denied. I don't understand why the PIX would then deny the same connection at a later time.
Any help with these issues would be greatly appreciated. I apologize if I mistyped any of these log messages.. by the way, is there a way to copy and paste log messages from the Windows Cisco ASDM client? I can't seem to figure out how to do it...