09-17-2007 04:34 AM - edited 02-21-2020 01:41 AM
Hey,
I'm having trouble with the VPN configuration of my Cisco PIX 515E Firewall.
I have a UR license which allows 2000 concurrent PPTP connections, but for some reason its stopping at 125.
Once it has reached 125, and other VPN connectins are attempted, i get the following error in my syslog.
"09-17-2007 13:35:44 Local0.Error 10.4.36.254 %PIX-3-213001: PPTP control daemon socket io accept error, errno = 5"
We have tried replacing the hardware and we get the same issue. The only thing that has stayed consistant throughout is the configuration, so this has let me to believe that my config is wrong. Any help would be greatly appreciated.
CONFIG: http://internetworkpro.org/pastebin/944
Thanks
David Prince
10-03-2007 06:42 AM
Hi,
There is a bug found in the folowing versions;
6.2
6.1
6.3(1)
They are supposed to be fixed in the following versions;
6.2(4.102)
6.3(5.0)
6.3(4.113)
The bugs says "PIX firewall configured as a PPTP gateway may stop accepting new PPTP client connections"
Although your IOS 6.3(5) is one of the listed that fixed the bug. It would'nt hurt to upgrade it if it's doable. The stable version is 7.2(2).
Regards,
Dandy
10-03-2007 06:58 AM
CSCeg07701 Yes pptp stops accepting new connections: tcp listening socked
The release notes state that this problem has been resolved in this version of IOS. Is this correct?
10-03-2007 07:19 AM
Hi,
Yes, it should be. I didn't see any problem with your config and your licensing. Maybe others could find something that I may not seen.
In my experience, I've discovered two bugs myself in separate occasions in the same router which the version its running supposed to have fixed the bug earlier or it's not mentioned in its caveats.
Whenever I have a problem that defies logic and the config and/or infrastructure/architecture is too simple to have resulted to that problem. I turn to upgrading the IOS to latest stable version, whether there is a bug announced or not - you can't wait for them to announce it, they are human also. So far, this approached fixed my problems 9 out of 10 :) - the one that I missed is something to do with Oracle which the DBA hide some information from me :)
Regards,
Dandy
10-03-2007 07:24 AM
I agree, upgrading would be a far more effective fix. Although before we do upgrade, we would have to look at moving over to L2TP as later versions of the IOS dont support PPTP (for good reason).
We did get word back from cisco developers regarding this matter, and they stated that it was an undocumented limitation. I find that hard to believe as all the documents state 2000 concurrent PPTP VPN connections.
10-03-2007 07:36 AM
Hi,
The document doesn't mentioned PPTP. It does mentioned VPN but not specifically PPTP.
I may be reading different document though :)
Regards,
Dandy
10-03-2007 07:47 AM
Yes, it also mentions 2000 IKE associations, which relates to both PPTP and L2TP.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: