1. Home
  2. Cisco Systems
  3. PPTP Clients loose connection to cisco PIX 506E after a while..

PPTP Clients loose connection to cisco PIX 506E after a while..

Hi all, A customer of mine have just gotten a new Cisco Pix 506E, and we are experiencing some trouble with it. Hope some of you can point me in the right direction to fix this...

  1. Using PDM on the inside, I loose connection to the PDM java app after a while. Have to close the browser all together and log back on to access it. Have anyone experienced this? (Tried different browsers, same result)

  1. VPN Users use PPTP to access the firewall. Most of the clients are on Windows Vista, but XP users reportedly also have problems. What I've heard is that they loose connection after a while, altthough the connection icon still tells the user that he/she is connected. Workaround is to manually disconnect and connect again.

Should I try to play with the MTU size on the inside interface to see if this can have any effect?

I have never had these problems on a PIX before, so I'm not sure where to start looking for errors. I have installed a syslog server that hopefully will give me some info, but any pointers would be deeply appreciated. My config is as follows:

mtu inside 1500 ip address outside xxx.xxx.44.62 255.255.252.0 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool VPNPool 192.168.1.101-192.168.1.150 mask 255.255.255.0 pdm location 192.168.1.2 255.255.255.255 inside pdm location 213.179.57.7 255.255.255.255 outside pdm location 192.168.1.0 255.255.255.0 outside pdm location 192.168.1.24 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 101 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface www 192.168.1.24 www netmask

255.255.255.255 0 0 access-group inbound in interface outside route outside 0.0.0.0 0.0.0.0 xxx.xxx.44.61 10 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 5 aaa-server RADIUS deadtime 1 aaa-server RADIUS (inside) host 192.168.1.2 cisco timeout 5 aaa-server LOCAL protocol local http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-pptp isakmp nat-traversal 20 telnet 84.209.249.249 255.255.255.255 outside telnet 192.168.1.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 vpdn group PPTP_VPN accept dialin pptp vpdn group PPTP_VPN ppp authentication chap vpdn group PPTP_VPN client configuration address local VPNPool vpdn group PPTP_VPN client configuration dns 192.168.1.2 vpdn group PPTP_VPN pptp echo 60 vpdn group PPTP_VPN client authentication local vpdn username cisco password ********* vpdn username vpn password ********* vpdn username trond password ********* vpdn enable outside dhcpd address 192.168.1.20-192.168.1.100 inside dhcpd dns 192.168.1.2 84.20.96.10 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80 Cryptochecksum: : end [OK]

Best regards, Trond Hindenes Norway

Reply to
trond
Loading thread data ...

Good day

I'm not as much an expert on the PIX firewall, but is it possible that the connections are timing out due to inactivity? Are the users actively working using that VPN link when it stops responding? You could look at what the default timeout is on the connection (though I should think the software would disconnect at that point; maybe a bug in the software or on the PIX OS with PPTP?)

Also, as to the idea about MTU, what kind of connection is the PIX connected to? If it's ADSL, or any ATM link for that matter, you may have to play with it (normally, I set the MTU on the WAN at 1452 bytes when dealing with ATM). Otherwise, you shouldn't have to play with the MTU. Ethernet has to run 1500 bytes, so your config looks ok that way.

Hope this helps a little

Reply to
Mike Rahl

which version of pix are you running and what is the timeout parameters yuo have set?

there is a known issue for ipsec vpn tim> Hi all,

Reply to
ciscosec

Hi, Its running PIX 6.3(5), which (as far as I know) is the latest supported os on the 506E. Alle the parameters are shown in the config I sent. On the clients, timeout is not set.

Thanks,

Tr> which version ofpixare you running and what is the timeout

Reply to
trond

Not a PIX guru, but I had no luck at all with PPTP on a Cisco 2650 w IOS

12.3. It seems that PPTP uses a conversation id that distintingusihes between communicating devices--above setup would not work unless each user was given the same ip at connect time (no Nat overload-had to be static). With DHCP style allocation--it was a mess.

I had to use a Netgear FVS318 on the Internet with TCP 1723 open and translated to a Win 2000 server running RRAS. DHCP allocation now worked with PPTP.

Reply to
Houston SBC

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.