PIX static to dynamic vpn tunnel problem

Unanswered Question
Jul 25th, 2007


Its a new setup.

We are having a central site with leased line to internet & 13 remote locations having adsl connection (dynamic).All the remote locations are connecting via vpn to the central site.

Central site is having PIX 515 (ver 7.2(2)).

Remote locations are having 506E (ver 6.3(5)).

We are having a static to dynamic vpn.

Now, currently there are two sites (Central site & remote site)which we testing.The requirement is to have the vpn tunnelup always. To be on the safer side, we have created a batch file on all the remote locations which continously sends an extended ping packet to the central site server.

All the remote locations are having a sevre which communicates with the central site server placed in the DMZ.


When we initiate the connection from the remote site the tunnel comes up & we are able to pass bidirectional traffic.Now, in the background even the batch file is running which is always making the tunnelup.

Now, after sometime when we stop this batch file & again initiate the connection by applying ping from the remote server or PCs we are getting request timed out.

Logically, when we initiate the connection from remote side the vpn tunnel should always come up which is not happening in this case.

What we noticed was when we are getting request timed out, on the remote PIX we see QM_IDLE when we put "sh crypto isakmp sa".But at the central site we see "no isakmp sas" when we put"sh crypto isakmp sa"

We needed your help on this.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mattiaseriksson Thu, 07/26/2007 - 00:27

Can you get isakmp and ipsec debug from the central site? Can you attach a sh crypto isakmp sa and sh crypto ipsec sa from the central site when the remote peer is down?

Is there a firewall between them?

sachin_mon Sat, 07/28/2007 - 21:29


The "show commands" are already attached.If you go through the configs,all the details are there in it.

Please browse through the complete configs.



mattiaseriksson Sun, 07/29/2007 - 02:11

Hi, try to enable dead peer detection on the remote PIX.

isakmp keepalive 10

Since DPD is enabled by default on the PIX 7.2 it may take down the tunnel if it does not get any DPD response from the peer. Both endpoints must have it enabled for DPD to work.

sachin_mon Sun, 07/29/2007 - 02:58


Thanks for the update.

I tried putting the keepalives at the remote end but what we found was that the tunnel goes down after about 30 minutes approx when there is no data traffic.In debug, we can see " DPD R_THERE_ .." message from the remote end at every 10 seconds interval.

Is there any way that we can always make the tunnel up even when is no data traffic..?



mattiaseriksson Sun, 07/29/2007 - 05:33

The remote pix has has a private address, is there a NAT device or firewall between the sites? If you do, what are the connection timeouts configured for UDP?

In any case, if the tunnel goes down even when you have keepalives configured on both ends, you can run ipsec debugging on the central side to find out the cause of the disconnection.


This Discussion