VPN Automatically Disconnection in Aggressive Mode

bhatti.imran · ‎12-06-2006

Hi All,

Currently i am facing trouble in maintaining the VPN connection.

This VPN is in Aggressive Mode ( PIX to PIX Dynamic-to-Static IPSec with NAT)

Now problem is that VPN connection disconnected when it goes Idle.

We are using this VPN for the voice traffic only.

Now i have two concern while using this VPN for traffic.

1VPN Lifetime 86400 sec ( on Bothe Firewalls)

Currently VPN timed out before 86400 sec , i d,nt know why ?

2. Vpn only established when we start session from the Dynamic IP address Firewall ( remote or client firewall) in this case Central PIX is 515E and Client/remote firewall is PIX 501.

Could you please help me in getting out of this trouble.

ivillegas · ‎12-12-2006

Check the DHCP lease time configuration in the central site PIX

bhatti.imran · ‎12-13-2006

Thanks for reply

Actually No Dhcp involved in this case.

This line is used for VOIP calls only so some times it remains idle particularly on weekends.

So currently we can start VPN session from PIX 501 only but VPN session drops before after some time like 3 hrs 2 hrs etc.

We also want to start the session from PIX 501 side but in this mode i think not possible so I want to have a permanent VPN seesion.

Please any one help me.

Thanks

Below are the configuration of both side PIX

PiX 515E as a central PIX. ( Ver 7.0)

access-list 101 extended permit ip 172.16.73.0 255.255.255.0 192.168.40.0 255.25

5.255.0

access-list 101 extended permit ip 172.16.73.0 255.255.255.0 172.16.1.0 255.255.

255.0

nat (inside) 0 access-list 101

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map cisco 1 set transform-set myset

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

crypto map dynamic-map 1 set security-association lifetime seconds 2147483647

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 2147483647

tunnel-group DefaultL2LGroup type ipsec-l2l

tunnel-group DefaultL2LGroup ipsec-attributes

isakmp keepalive threshold 60 retry 5

tunnel-group DefaultRAGroup type ipsec-ra

tunnel-group DefaultRAGroup general-attributes

authentication-server-group none

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

PIX 501 with Dynamic Global IP ( Ver 6.3)

access-list 101 permit ip 172.16.1.0 255.255.255.0 172.16.73.0 255.255.255.0

access-list 101 permit ip 192.168.40.0 255.255.255.0 172.16.73.0 255.255.255.0

nat (inside) 0 access-list 101

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address 101

crypto map newmap 10 set peer 83.136.10.162

crypto map newmap 10 set transform-set myset

crypto map newmap 10 set security-association lifetime seconds 86400 kilobytes 4

608000

crypto map newmap interface outside

isakmp enable outside

isakmp key ******** address 10.10.10.1 netmask 255.255.255.255

isakmp log 2000

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400