cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
888
Views
0
Helpful
8
Replies

Problems keeping up the VPN.

KlediBodinaku24
Level 1
Level 1

Hello

I have a Router 1811 and a PIX 515E. Both are connected with a VPN tunnel.

Everything works OK but in times of inactivity the PIX deletes the connection and after that the remote site (Router) cannot start the VPN.

the PIX gives this message

710003: ESP access denied by ACL from "router IP"/12304 to PIXINTERF:IP/24081.

when i start communication from the local site everything is OK

any help

8 Replies 8

Richard Burts
Hall of Fame
Hall of Fame

Klodian

Some additional information would be helpful.

- in normal circumstances can the VPN be started from the 1811?

- does either side treat the VPN as a dynamic neighbor (address potentially changeable) or do both treat it as a static configured neighbors?

At some point it may be helpful if you could post the config of the PIX.

HTH

Rick

HTH

Rick

hello

In normal circumstances the VPN starts from the Router

Both treat the neighbor with a static IP.

any suggesting on what can i look into to solve this problem.

To post the PIX conf i will have to modify first and it would require some time

Thanks

One more thing that is strange.

If i delete the PIX configuration for this VPN and recreate it, that i can start the VPN from the Router (remote site), but if i clear the crypto isakmp at the router than i have the same problem.

The VPN starts from the local site but doesn't from the remote site.

Any ideas of what to look at?

Hi there,

i'm just shooting in darkness, but what is that: "710003: ESP access denied by ACL from "router IP"/12304 to PIXINTERF:IP/24081. " Do you have any reflexive lists? And what happen if you not using this connection to transmit data? I mean, did you try just to connect the router to PIX without transmitting any data to see when the connection will be dropped? I believe that this session will going down at exactly 'x' minute every time. If my theory is correct, maybe you have some reflexive lists, which expire after 'x' minutes when PIX stop sending data to the client (router).

When you clear the crypto isakmp sa's, you actually forcing the ISAKMP/IKE daemon to create the new SA's by initiating the UDP/TCP session to port 500 on the remote host. The newly initiated session creates another temporary rule in reflexive lists , and your connection going to transmit data again and again until the PIX stop transmitting data. Then the timeout in reflexive lists expires again, and the temporary created rule is removed.

Maybe i'm wrong , but this is just a guess. However, tell us what was the problem if you solve it!

Kind Regards,

Danail Petrov

"710003: ESP access denied by ACL from "router IP"/12304 to PIXINTERF:IP/24081. " Is what the PIX Debug gives when i start a ping from the router internal network toward the PIX INternal network.

I'll check on the reflexive lists and let you know when i find the solution.

ON PIX

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

vpn-idle-timeout 30

vpn-session-timeout none

OK

more to this problem

It seems that the problem originates at the router.

If i give the command : clear crypto sa

after that the VPN can start normaly from the router to the PIX.

Please any idea how can i fix this without giving a command manualy?

regards

Well since it was asked this is a solution I'm trying to solve this problem and that is working so far.

To the router i set an isakmp and ipsec lifetime of 3600 seconds. this way as soon as the time passes the router and the pix are forced to exchange keys and keep up the VPN.

Well as far as i understand the sa's were not being deleted and when the PIX tried to send new sa's the Router still had the old ones and i was getting a message that the SA's were not matching.

this is what I am doing. any idea on what could be better or if i should expect any side effects?

Hope this helps others

Regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco