VPN through PIX keeps hanging

grimsby.moraine · ‎11-17-2009

PIX525, v7.2(4).

Another firewall sits inside the PIX525, then out to the internet. A L2L VPN through the PIX525 hangs every few days and is recovered by rebooting the PIX525. The end peers report "IKE Responder: Remote party timeout - Retransmitting IKE request" and "IKE negotiation aborted due to timeout", the PIX525 reports "%PIX-6-110003: Routing failed to locate next hop for UDP from inside:a.b.c.9/500 to inside:[remote_peer]/500".

Note the "inside:[remote_peer" - this peer is actually outside and PIX525 even has static host route for it:

route outside [remote_peer] 255.255.255.255 a.b.c.1 1

When this happens PIX525 can actualy ping remote_peer.

Sometimes this happens several times a day, sometimes it goes 5 days without issue.

branfarm1 · ‎11-17-2009

Hi there,

Did you recently upgrade the OS on this PIX? You might try disabling the isakmp keepalive mechanism.

Under your tunnel-group w.x.y.x ipsec-attributes:

isakmp keepalive disable

Not sure if that will fix your issue, but it worked for me when I had a similar sounding issue after upgrading a PIX OS.

grimsby.moraine · ‎11-17-2009

It has been upgraded recently, from 7.2(1), after i saw bug ID CSCsf04123.

I have added that to the DefaultRAGroup but i am a little dubious since this VPN goes through the PIX rather terminate on it.

It may be a few days before I know if it's helped.

Thanks for the reply.