issue with VPN pix to pix ( Remote access )

Unanswered Question
Mar 16th, 2007

Hello all,


I have trouble with a vpn site to site.


Architecture is :


Internal ---- PixV_7.2(1) ---- internet ----- Pix_V6.3(2) ---- Remote site (london)


Connection is ok: Crypto isakmp sa


I use sysopt connexion permit-vpn and permit-ipsec, and all the subnet match the cryptomap access-list, nat 0 is ok on both (i hope..)


I can do ping, telnet on my network device on the remote site.


The issue is when I use terminal service or vnc. The connexion seem to be ok because, when i do " sho connex " on both pix, i see the connexion of the vnc or terminal service on port 3389 or 5900.


On the computer where i send the TS or VNC i can see the windows, but it black. The pointer of the mouse move but all is black.


when i use other connexion with ISDN, it's ok. But the line using vpn site to site on the internet seem have a problem.


When i do sho crypto ipsec sa, i can't see the connexion between my pc where i send the vnc or TS and the remote computer.


Do you have any suggestion? I can't give you the running configuration. I know it will be difficult to find a problem without config.


There is some trouble between both image? 7.2 and 6.3?


One thing more, i have exactly the same configuration with the pix on the internal and a remote pix on other country (luxembourg) and it's ok!!!




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
b.hsu Thu, 03/22/2007 - 06:39

First make sure the IPXec tunnel is UP and use the debug commands. The chance might be the user authentication problem or the group authentication.

t.boyle Thu, 03/22/2007 - 12:36

It sounds like you may have an MTU problem. IPSEC overhead means that you don't have the full 1500 byte MTU any more. If the ICMP replies required by PMTU (RFC 1191) aren't getting back to the two end stations then you'll get an initial connection but as soon as you start sending any amount of data the link freezes up. You can try changing the MTU on one end-station to around 1400 and see if you start to work. A better solution may be to allow the ICMP unreachable packets through to the end stations.

Actions

This Discussion