11-17-2009 04:11 AM - edited 03-11-2019 09:40 AM
PIX525, v7.2(4).
Another firewall sits inside the PIX525, then out to the internet. A L2L VPN through the PIX525 hangs every few days and is recovered by rebooting the PIX525. The end peers report "IKE Responder: Remote party timeout - Retransmitting IKE request" and "IKE negotiation aborted due to timeout", the PIX525 reports "%PIX-6-110003: Routing failed to locate next hop for UDP from inside:a.b.c.9/500 to inside:[remote_peer]/500".
Note the "inside:[remote_peer" - this peer is actually outside and PIX525 even has static host route for it:
route outside [remote_peer] 255.255.255.255 a.b.c.1 1
When this happens PIX525 can actualy ping remote_peer.
Sometimes this happens several times a day, sometimes it goes 5 days without issue.
11-17-2009 05:20 AM
Hi there,
Did you recently upgrade the OS on this PIX? You might try disabling the isakmp keepalive mechanism.
Under your tunnel-group w.x.y.x ipsec-attributes:
isakmp keepalive disable
Not sure if that will fix your issue, but it worked for me when I had a similar sounding issue after upgrading a PIX OS.
11-17-2009 06:31 AM
It has been upgraded recently, from 7.2(1), after i saw bug ID CSCsf04123.
I have added that to the DefaultRAGroup but i am a little dubious since this VPN goes through the PIX rather terminate on it.
It may be a few days before I know if it's helped.
Thanks for the reply.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: