1. Home
  2. Cisco Systems
  3. pix ipsec tunnels problem

pix ipsec tunnels problem

I have problems with ipsec tunnels on pix 525 7.0. For some time everything is ok and then tunnels a messed up. when I go to monitor and then VPN and then look list of lan to lan tunnels, I can see that rx bytes is incrementing as remote location is sending data but tx is zero. Only firewall restart helps. Any ideas? I'v tried everything, changeing from dynamic map to static, I've tried with upgrades, now I am on 7.0(2). Here is the part of config, I am using 3600 sec timeouts on peer side

access-list intf2_x.x.ccryptomap_dyn_1000 extended permit ip any x.x.c.88

255.255.255.248 access-list intf2_x.x.ccryptomap_dyn_1000 extended permit ip any x.x.c.72 255.255.255.248 access-list intf2_x.x.ccryptomap_dyn_1000 extended permit ip any x.x.c.24 255.255.255.248 access-list intf2_x.x.ccryptomap_dyn_1000 extended permit ip any x.x.c.32 255.255.255.248 access-list intf2_x.x.ccryptomap_dyn_1000 extended permit ip any x.x.c.216 255.255.255.248 access-list intf2_x.x.ccryptomap_dyn_1000 extended permit ip any x.x.b.16

255.255.255.248 access-list intf2_x.x.ccryptomap_dyn_1000 extended permit ip any x.x.b.24

255.255.255.248 access-list intf2_x.x.ccryptomap_dyn_1000 extended permit ip any x.x.b.64

255.255.255.248 access-list intf2_x.x.ccryptomap_dyn_1000 extended permit ip any x.x.b.80

255.255.255.248

timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute

group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 3 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none

vpn-sessiondb max-session-limit 200

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto dynamic-map intf2_vip_cdyn_map 1000 match address intf2_vip_ccryptomap_dyn_1000 crypto dynamic-map intf2_vip_cdyn_map 1000 set transform-set ESP-3DES-SHA ESP-DES-MD5 crypto dynamic-map intf2_vip_cdyn_map 1000 set security-association lifetime kilobytes

2147483647 crypto dynamic-map intf2_vip_cdyn_map 1000 set nat-t-disable

crypto map intf2_vip_cmap 65535 ipsec-isakmp dynamic intf2_vip_cdyn_map crypto map intf2_vip_cmap interface intf2_vip

isakmp enable intf2_vip isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 28800 isakmp disconnect-notify

tunnel-group DefaultL2LGroup type ipsec-l2l tunnel-group DefaultL2LGroup ipsec-attributes trust-point kevin.erste.hr tunnel-group DefaultRAGroup type ipsec-ra tunnel-group DefaultRAGroup ipsec-attributes trust-point kevin.erste.hr tunnel-group x.x.251.1 type ipsec-l2l tunnel-group x.x.251.1 ipsec-attributes pre-shared-key * tunnel-group x.x.251.2 type ipsec-l2l tunnel-group x.x.251.2 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.251.3 type ipsec-l2l tunnel-group x.x.251.3 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.251.4 type ipsec-l2l tunnel-group x.x.251.4 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.251.5 type ipsec-l2l tunnel-group x.x.251.5 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.250.1 type ipsec-l2l tunnel-group x.x.250.1 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.250.2 type ipsec-l2l tunnel-group x.x.250.2 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.250.3 type ipsec-l2l tunnel-group x.x.250.3 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.250.4 type ipsec-l2l tunnel-group x.x.250.4 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.250.6 type ipsec-l2l tunnel-group x.x.250.6 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.250.7 type ipsec-l2l tunnel-group x.x.250.7 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.250.8 type ipsec-l2l tunnel-group x.x.250.8 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.250.9 type ipsec-l2l tunnel-group x.x.250.9 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.250.10 type ipsec-l2l tunnel-group x.x.250.10 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.250.11 type ipsec-l2l tunnel-group x.x.250.11 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.250.12 type ipsec-l2l tunnel-group x.x.250.12 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.250.13 type ipsec-l2l tunnel-group x.x.250.13 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.250.14 type ipsec-l2l tunnel-group x.x.250.14 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.250.15 type ipsec-l2l tunnel-group x.x.250.15 ipsec-attributes pre-shared-key * isakmp keepalive disable

Reply to
no
Loading thread data ...

mybe I have a clue. On int where I receive VPN connections, ther is an access-list. In case of problems, there is a message that UDP 500 from peer ip to pix int ip UDP 500 is denied. After restart and tunnels reestablishment, there is no such message. Looks like PIX access-list stops working!!!!

Reply to
no

Just a thought. What type of license do you have? Is there a limit on the number of IKE HOSTS you can have? A "show version" should answer the question.

HTH's Jason

Reply to
thejayman

it happened again, look at this

Built inbound UDP connection 14580 for intf2_vip:x.x.250.13/500 (x.x.250.13/500) to inside:x.x.254.5/500 (x.x.254.5/500) UDP access denied by ACL from x.x.250.13/500 to inside:x.x.254.5/500

firs message seems ok, but then it starts. Is it possible that I hit some kind og limit of UDP connections?

Reply to
Drx

unlimited

Reply to
no

another thing I've noticed in logs is

%PIX-3-313001: Denied ICMP type=11, code=0 from x.x.x.6 on interface inside

few seconds after problems are starting. x.x.x.6 is router through which peers are connected to firewall

Reply to
no

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.