Problems keeping up the VPN.

Unanswered Question
Apr 16th, 2007

Hello

I have a Router 1811 and a PIX 515E. Both are connected with a VPN tunnel.

Everything works OK but in times of inactivity the PIX deletes the connection and after that the remote site (Router) cannot start the VPN.

the PIX gives this message

710003: ESP access denied by ACL from "router IP"/12304 to PIXINTERF:IP/24081.

when i start communication from the local site everything is OK

any help

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Mon, 04/16/2007 - 08:22

Klodian

Some additional information would be helpful.

- in normal circumstances can the VPN be started from the 1811?

- does either side treat the VPN as a dynamic neighbor (address potentially changeable) or do both treat it as a static configured neighbors?

At some point it may be helpful if you could post the config of the PIX.

HTH

Rick

KlediBodinaku24 Mon, 04/16/2007 - 09:01

hello

In normal circumstances the VPN starts from the Router

Both treat the neighbor with a static IP.

any suggesting on what can i look into to solve this problem.

To post the PIX conf i will have to modify first and it would require some time

Thanks

KlediBodinaku24 Tue, 04/17/2007 - 07:23

One more thing that is strange.

If i delete the PIX configuration for this VPN and recreate it, that i can start the VPN from the Router (remote site), but if i clear the crypto isakmp at the router than i have the same problem.

The VPN starts from the local site but doesn't from the remote site.

Any ideas of what to look at?

danail-petrov Tue, 04/17/2007 - 12:23

Hi there,

i'm just shooting in darkness, but what is that: "710003: ESP access denied by ACL from "router IP"/12304 to PIXINTERF:IP/24081. " Do you have any reflexive lists? And what happen if you not using this connection to transmit data? I mean, did you try just to connect the router to PIX without transmitting any data to see when the connection will be dropped? I believe that this session will going down at exactly 'x' minute every time. If my theory is correct, maybe you have some reflexive lists, which expire after 'x' minutes when PIX stop sending data to the client (router).

When you clear the crypto isakmp sa's, you actually forcing the ISAKMP/IKE daemon to create the new SA's by initiating the UDP/TCP session to port 500 on the remote host. The newly initiated session creates another temporary rule in reflexive lists , and your connection going to transmit data again and again until the PIX stop transmitting data. Then the timeout in reflexive lists expires again, and the temporary created rule is removed.

Maybe i'm wrong , but this is just a guess. However, tell us what was the problem if you solve it!

Kind Regards,

Danail Petrov

KlediBodinaku24 Tue, 04/17/2007 - 22:54

"710003: ESP access denied by ACL from "router IP"/12304 to PIXINTERF:IP/24081. " Is what the PIX Debug gives when i start a ping from the router internal network toward the PIX INternal network.

I'll check on the reflexive lists and let you know when i find the solution.

KlediBodinaku24 Tue, 04/17/2007 - 23:51

ON PIX

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

vpn-idle-timeout 30

vpn-session-timeout none

KlediBodinaku24 Thu, 04/19/2007 - 02:26

OK

more to this problem

It seems that the problem originates at the router.

If i give the command : clear crypto sa

after that the VPN can start normaly from the router to the PIX.

Please any idea how can i fix this without giving a command manualy?

regards

KlediBodinaku24 Fri, 04/20/2007 - 01:05

Well since it was asked this is a solution I'm trying to solve this problem and that is working so far.

To the router i set an isakmp and ipsec lifetime of 3600 seconds. this way as soon as the time passes the router and the pix are forced to exchange keys and keep up the VPN.

Well as far as i understand the sa's were not being deleted and when the PIX tried to send new sa's the Router still had the old ones and i was getting a message that the SA's were not matching.

this is what I am doing. any idea on what could be better or if i should expect any side effects?

Hope this helps others

Regards

Actions

This Discussion