Cisco PIX 515E, UR License but only allowing 125 Concurrent PPTP Connexions

DavidPrince · ‎09-17-2007

Hey,

I'm having trouble with the VPN configuration of my Cisco PIX 515E Firewall.

I have a UR license which allows 2000 concurrent PPTP connections, but for some reason its stopping at 125.

Once it has reached 125, and other VPN connectins are attempted, i get the following error in my syslog.

"09-17-2007 13:35:44 Local0.Error 10.4.36.254 %PIX-3-213001: PPTP control daemon socket io accept error, errno = 5"

We have tried replacing the hardware and we get the same issue. The only thing that has stayed consistant throughout is the configuration, so this has let me to believe that my config is wrong. Any help would be greatly appreciated.

CONFIG: http://internetworkpro.org/pastebin/944

Thanks

David Prince

Danilo Dy · ‎10-03-2007

Hi,

There is a bug found in the folowing versions;

6.2

6.1

6.3(1)

They are supposed to be fixed in the following versions;

6.2(4.102)

6.3(5.0)

6.3(4.113)

The bugs says "PIX firewall configured as a PPTP gateway may stop accepting new PPTP client connections"

Although your IOS 6.3(5) is one of the listed that fixed the bug. It would'nt hurt to upgrade it if it's doable. The stable version is 7.2(2).

Regards,

Dandy

tbsciscopix · ‎10-03-2007

CSCeg07701 Yes pptp stops accepting new connections: tcp listening socked

The release notes state that this problem has been resolved in this version of IOS. Is this correct?

Danilo Dy · ‎10-03-2007

Hi,

Yes, it should be. I didn't see any problem with your config and your licensing. Maybe others could find something that I may not seen.

In my experience, I've discovered two bugs myself in separate occasions in the same router which the version its running supposed to have fixed the bug earlier or it's not mentioned in its caveats.

Whenever I have a problem that defies logic and the config and/or infrastructure/architecture is too simple to have resulted to that problem. I turn to upgrading the IOS to latest stable version, whether there is a bug announced or not - you can't wait for them to announce it, they are human also. So far, this approached fixed my problems 9 out of 10 :) - the one that I missed is something to do with Oracle which the DBA hide some information from me :)

Regards,

Dandy

tbsciscopix · ‎10-03-2007

I agree, upgrading would be a far more effective fix. Although before we do upgrade, we would have to look at moving over to L2TP as later versions of the IOS dont support PPTP (for good reason).

We did get word back from cisco developers regarding this matter, and they stated that it was an undocumented limitation. I find that hard to believe as all the documents state 2000 concurrent PPTP VPN connections.

Danilo Dy · ‎10-03-2007

Hi,

The document doesn't mentioned PPTP. It does mentioned VPN but not specifically PPTP.

I may be reading different document though :)

Regards,

Dandy

tbsciscopix · ‎10-03-2007

Yes, it also mentions 2000 IKE associations, which relates to both PPTP and L2TP.