09-03-2003 07:57 AM - edited 02-21-2020 12:45 PM
I have a PIX 515 setup running versio 6.3(1). I am having trouble with clients randomly disconnecting from the VPN session. It doesn't matter if they are doing something across the VPN tunnel or letting it sit idle. What I notice is when I connect (using client 3.6.3, some users are on 4.x), I can initially ping an internal IP address. If I wait, I start seeing DPD and hearbeat related messages in both the client log and the pix. At the point I can not longer pink my inside addresses and the client disconnects. I would post my debug and client logs, but they are too lengthy to fit in this post.
Here is the config of the PIX:
Saved
: Written by enable_15 at 17:19:29.239 EDT Tue Sep 2 2003
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password 75gUzfqwjxKk6YbJ encrypted
passwd 75gUzfqwjxKk6YbJ encrypted
hostname CSCPIX
domain-name XXXXXXX.XXX
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
<--- More --->
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_inbound permit tcp any host XXX.XXX.XXX.XXX eq www
access-list acl_inbound permit tcp any host XXX.XXX.XXX.XXX eq smtp
access-list acl_inbound permit tcp any host XXX.XXX.XXX.XXX eq www
access-list acl_inbound permit tcp any host XXX.XXX.XXX.XXX eq 135
access-list acl_inbound permit tcp any host XXX.XXX.XXX.XXX eq 8000
access-list acl_inbound permit tcp any host XXX.XXX.XXX.XXX eq 8001
access-list acl_inbound permit tcp any host XXX.XXX.XXX.XXX eq 4080
access-list acl_inbound permit tcp any host XXX.XXX.XXX.XXX eq 4025
access-list acl_inbound permit tcp any host XXX.XXX.XXX.XXX eq 4026
access-list acl_inbound permit tcp any host XXX.XXX.XXX.XXX eq 9000
access-list acl_inbound permit tcp any host XXX.XXX.XXX.XXX eq 9001
access-list acl_inbound permit tcp any host XXX.XXX.XXX.XXX eq 5000
access-list acl_inbound permit tcp any host XXX.XXX.XXX.XXX eq 5001
access-list acl_inbound permit icmp any XXX.XXX.XXX.XXX 255.255.255.0 echo-reply
access-list DMZ_echo_reply permit icmp 192.168.1.0 255.255.255.0 130.1.120.0 255.255.255.0 echo-reply
access-list DMZ_echo_reply permit ip any any
access-list CSCRemote_splitTunnelAcl permit ip 130.1.120.0 255.255.255.0 any
access-list CSCRemote_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
access-list CSCRemote_splitTunnelAcl permit ip host XXX.XXX.XXX.XXX any
access-list inside_outbound_nat0_acl permit ip any 192.168.2.0 255.255.255.0
<--- More --->
access-list inside_outbound_nat0_acl permit ip 130.1.120.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.0
access-list DMZ_nat0_outbound permit ip any 192.168.2.0 255.255.255.0
access-list DMZ_nat0_outbound permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
pager lines 24
logging on
icmp permit 192.168.2.0 255.255.255.0 outside
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside XXX.XXX.XXX.XXX 255.255.240.0
ip address inside 130.1.120.2 255.255.255.0
ip address DMZ 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNIPPool 192.168.2.1-192.168.2.254
pdm location 130.1.120.0 255.255.255.0 inside
pdm location 130.1.120.0 255.255.255.255 inside
pdm location 130.1.120.103 255.255.255.255 inside
pdm location 130.1.120.109 255.255.255.255 inside
pdm location 130.1.120.110 255.255.255.255 inside
pdm location 130.1.120.115 255.255.255.255 inside
pdm location 192.168.1.10 255.255.255.255 DMZ
pdm location XXX.XXX.XXX.XXX 255.255.255.255 inside
<--- More --->
pdm location 130.120.1.0 255.255.255.0 inside
pdm location XXX.XXX.XXX.XXX 255.255.255.255 outside
pdm location 130.1.120.102 255.255.255.255 inside
pdm location 130.1.120.3 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.0 outside
pdm location 130.1.120.153 255.255.255.255 inside
pdm location 192.168.3.0 255.255.255.0 outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 XXX.XXX.XXX.XXX
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 130.1.120.0 255.255.255.0 0 0
nat (DMZ) 0 access-list DMZ_nat0_outbound
static (inside,outside) XXX.XXX.XXX.XXX 130.1.120.103 netmask 255.255.255.255 0 0
static (inside,outside) XXX.XXX.XXX.XXX 130.1.120.110 netmask 255.255.255.255 0 0
static (inside,outside) XXX.XXX.XXX.XXX 130.1.120.109 netmask 255.255.255.255 0 0
static (inside,outside) XXX.XXX.XXX.XXX 130.1.120.115 netmask 255.255.255.255 0 0
static (inside,DMZ) 130.1.120.0 130.1.120.0 netmask 255.255.255.0 0 0
static (inside,outside) XXX.XXX.XXX.XXX 130.1.120.153 netmask 255.255.255.255 0 0
static (DMZ,outside) XXX.XXX.XXX.XXX 192.168.1.10 netmask 255.255.255.255 0 0
access-group acl_inbound in interface outside
access-group DMZ_echo_reply in interface DMZ
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
<--- More --->
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 130.1.120.102 XXXXXXX timeout 10 aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
ntp server 198.82.161.227 source outside
ntp server 198.82.162.213 source outside prefer
http server enable
http 192.168.2.0 255.255.255.0 outside
http XXX.XXX.XXX.XXX 255.255.255.255 outside
http 130.1.120.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
<--- More --->
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map client authentication RADIUS crypto map outside_map interface outside crypto map inside_map interface inside isakmp enable outside isakmp identity address isakmp keepalive 60 isakmp nat-traversal 20 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup CSCRemote address-pool VPNIPPool vpngroup CSCRemote dns-server 130.1.120.105 vpngroup CSCRemote wins-server 130.1.120.105 vpngroup CSCRemote split-tunnel CSCRemote_splitTunnelAcl vpngroup CSCRemote split-dns consolidatedshoe.com vpngroup CSCRemote idle-time 1800 vpngroup CSCRemote password ********
<--- More --->
telnet 192.168.2.0 255.255.255.0 outside
telnet 130.1.120.0 255.255.255.0 inside
telnet timeout 5
ssh XXX.XXX.XXX.XXX 255.255.255.255 outside
ssh timeout 60
management-access inside
console timeout 0
username XXXXXXXXXX password hsV//1oVbOOHeRU4 encrypted privilege 15 terminal width 80 Cryptochecksum:4375c218b53ab5f3fab2f371a322015b
I would appreciate any help anyone can give me. Thanks.
Dave Smith
09-03-2003 03:06 PM
Try posting some logs - nothing outrageous appears in your config. The DPD logs you get on the client appear to be natural to me - I think when you have logs fully cranked up, it just logs the normal dpd transactions that cisco uses to try to detect dead peers.
Are you monitoring internet bandwidth? Could that be the problem?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide