IPSec VPN Pix 501 Tunnel drops frequently

Unanswered Question
Jun 16th, 2008

Hi there,

we've got a Pix 501 which creates a VPN tunnel over the Internet that terminates on a VPN3030 Concentrator. The tunnel drops a couple of times a day usually, sometimes for 20 mins or more. Between the Pix 501 and the concentrator there is a Pix 525 firewall which performs NATing.

Firstly, I'm sure that the relevant protocols must be allowed through the Pix 525 (which does the NATing) or the tunnel wouldn't come up at all would it? For information can anyone let me know exactly what to let through the 525 to the concentrator and vice versa so that I can check?

As far as I'm aware you don't need an access list on the Pix 501 as any IPSec traffic coming from the tunnel endpoint (concentrator) will be allowed in anyway (or is this only if the 'sysopt connection permit-ipsec' command is used on the Pix 501?).

Any advice would be appreciated as this problem has been going on for a long time. The concentrator software is around 2003 in case that makes a difference (though other tunnels from other remote Pix 501s seem to be fine).

Here's the Pix 501 config:

Pix# sh run

: Saved


PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname Pix

domain-name testcorp.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


access-list 119 permit ip

pager lines 24

logging on

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 119

nat (inside) 1 0 0

route outside x.x.x.x 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa authentication telnet console LOCAL

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

http server enable

http inside

snmp-server host outside x.x.x.x poll

snmp-server host outside x.x.x.x poll

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-3des esp-md5-hmac

crypto ipsec transform-set medium esp-des esp-md5-hmac

crypto map MyMap1 10 ipsec-isakmp

crypto map MyMap1 10 match address 119

crypto map MyMap1 10 set peer x.x.x.x

crypto map MyMap1 10 set transform-set strong

crypto map MyMap1 interface outside

isakmp enable outside

isakmp key ******** address x.x.x.x netmask

isakmp keepalive 10

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

telnet inside

telnet inside

telnet timeout 5

ssh x.x.x.x outside

ssh timeout 30

: end


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Mon, 06/16/2008 - 09:49

Take a look at this link specially Enable or Disable ISAKMP Keepalives , see if that helps.


[edit] did not noticed you already have keepalive configure , have you looked at the logs on either to see any relevant information as to why the tunnel drops, even look at each end internet link utilization, or phycal outside interface for packet drops, again.. on specific time of day when tunnel drops, it is possible high traffic on internet link on specific time causes keep alive misses ..




This Discussion