VPN client disconnects with PIX 515

dsmith · ‎09-03-2003

I have a PIX 515 setup running versio 6.3(1). I am having trouble with clients randomly disconnecting from the VPN session. It doesn't matter if they are doing something across the VPN tunnel or letting it sit idle. What I notice is when I connect (using client 3.6.3, some users are on 4.x), I can initially ping an internal IP address. If I wait, I start seeing DPD and hearbeat related messages in both the client log and the pix. At the point I can not longer pink my inside addresses and the client disconnects. I would post my debug and client logs, but they are too lengthy to fit in this post.

Here is the config of the PIX:

Saved

: Written by enable_15 at 17:19:29.239 EDT Tue Sep 2 2003

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

enable password 75gUzfqwjxKk6YbJ encrypted

passwd 75gUzfqwjxKk6YbJ encrypted

hostname CSCPIX

domain-name XXXXXXX.XXX

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

<--- More --->

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list acl_inbound permit tcp any host XXX.XXX.XXX.XXX eq www

access-list acl_inbound permit tcp any host XXX.XXX.XXX.XXX eq smtp

access-list acl_inbound permit tcp any host XXX.XXX.XXX.XXX eq www

access-list acl_inbound permit tcp any host XXX.XXX.XXX.XXX eq 135

access-list acl_inbound permit tcp any host XXX.XXX.XXX.XXX eq 8000

access-list acl_inbound permit tcp any host XXX.XXX.XXX.XXX eq 8001

access-list acl_inbound permit tcp any host XXX.XXX.XXX.XXX eq 4080

access-list acl_inbound permit tcp any host XXX.XXX.XXX.XXX eq 4025

access-list acl_inbound permit tcp any host XXX.XXX.XXX.XXX eq 4026

access-list acl_inbound permit tcp any host XXX.XXX.XXX.XXX eq 9000

access-list acl_inbound permit tcp any host XXX.XXX.XXX.XXX eq 9001

access-list acl_inbound permit tcp any host XXX.XXX.XXX.XXX eq 5000

access-list acl_inbound permit tcp any host XXX.XXX.XXX.XXX eq 5001

access-list acl_inbound permit icmp any XXX.XXX.XXX.XXX 255.255.255.0 echo-reply

access-list DMZ_echo_reply permit icmp 192.168.1.0 255.255.255.0 130.1.120.0 255.255.255.0 echo-reply

access-list DMZ_echo_reply permit ip any any

access-list CSCRemote_splitTunnelAcl permit ip 130.1.120.0 255.255.255.0 any

access-list CSCRemote_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any

access-list CSCRemote_splitTunnelAcl permit ip host XXX.XXX.XXX.XXX any

access-list inside_outbound_nat0_acl permit ip any 192.168.2.0 255.255.255.0

<--- More --->

access-list inside_outbound_nat0_acl permit ip 130.1.120.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.0

access-list DMZ_nat0_outbound permit ip any 192.168.2.0 255.255.255.0

access-list DMZ_nat0_outbound permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

pager lines 24

logging on

icmp permit 192.168.2.0 255.255.255.0 outside

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip address outside XXX.XXX.XXX.XXX 255.255.240.0

ip address inside 130.1.120.2 255.255.255.0

ip address DMZ 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPNIPPool 192.168.2.1-192.168.2.254

pdm location 130.1.120.0 255.255.255.0 inside

pdm location 130.1.120.0 255.255.255.255 inside

pdm location 130.1.120.103 255.255.255.255 inside

pdm location 130.1.120.109 255.255.255.255 inside

pdm location 130.1.120.110 255.255.255.255 inside

pdm location 130.1.120.115 255.255.255.255 inside

pdm location 192.168.1.10 255.255.255.255 DMZ

pdm location XXX.XXX.XXX.XXX 255.255.255.255 inside

<--- More --->

pdm location 130.120.1.0 255.255.255.0 inside

pdm location XXX.XXX.XXX.XXX 255.255.255.255 outside

pdm location 130.1.120.102 255.255.255.255 inside

pdm location 130.1.120.3 255.255.255.255 inside

pdm location 192.168.2.0 255.255.255.0 outside

pdm location 130.1.120.153 255.255.255.255 inside

pdm location 192.168.3.0 255.255.255.0 outside

pdm logging debugging 100

pdm history enable

arp timeout 14400

global (outside) 1 XXX.XXX.XXX.XXX

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 130.1.120.0 255.255.255.0 0 0

nat (DMZ) 0 access-list DMZ_nat0_outbound

static (inside,outside) XXX.XXX.XXX.XXX 130.1.120.103 netmask 255.255.255.255 0 0

static (inside,outside) XXX.XXX.XXX.XXX 130.1.120.110 netmask 255.255.255.255 0 0

static (inside,outside) XXX.XXX.XXX.XXX 130.1.120.109 netmask 255.255.255.255 0 0

static (inside,outside) XXX.XXX.XXX.XXX 130.1.120.115 netmask 255.255.255.255 0 0

static (inside,DMZ) 130.1.120.0 130.1.120.0 netmask 255.255.255.0 0 0

static (inside,outside) XXX.XXX.XXX.XXX 130.1.120.153 netmask 255.255.255.255 0 0

static (DMZ,outside) XXX.XXX.XXX.XXX 192.168.1.10 netmask 255.255.255.255 0 0

access-group acl_inbound in interface outside

access-group DMZ_echo_reply in interface DMZ

route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1

<--- More --->

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 130.1.120.102 XXXXXXX timeout 10 aaa-server LOCAL protocol local

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

ntp server 198.82.161.227 source outside

ntp server 198.82.162.213 source outside prefer

http server enable

http 192.168.2.0 255.255.255.0 outside

http XXX.XXX.XXX.XXX 255.255.255.255 outside

http 130.1.120.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

<--- More --->

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map client authentication RADIUS crypto map outside_map interface outside crypto map inside_map interface inside isakmp enable outside isakmp identity address isakmp keepalive 60 isakmp nat-traversal 20 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup CSCRemote address-pool VPNIPPool vpngroup CSCRemote dns-server 130.1.120.105 vpngroup CSCRemote wins-server 130.1.120.105 vpngroup CSCRemote split-tunnel CSCRemote_splitTunnelAcl vpngroup CSCRemote split-dns consolidatedshoe.com vpngroup CSCRemote idle-time 1800 vpngroup CSCRemote password ********

<--- More --->

telnet 192.168.2.0 255.255.255.0 outside

telnet 130.1.120.0 255.255.255.0 inside

telnet timeout 5

ssh XXX.XXX.XXX.XXX 255.255.255.255 outside

ssh timeout 60

management-access inside

console timeout 0

username XXXXXXXXXX password hsV//1oVbOOHeRU4 encrypted privilege 15 terminal width 80 Cryptochecksum:4375c218b53ab5f3fab2f371a322015b

I would appreciate any help anyone can give me. Thanks.

Dave Smith

mostiguy · ‎09-03-2003

Try posting some logs - nothing outrageous appears in your config. The DPD logs you get on the client appear to be natural to me - I think when you have logs fully cranked up, it just logs the normal dpd transactions that cisco uses to try to detect dead peers.

Are you monitoring internet bandwidth? Could that be the problem?