How to avoid Ipsec VPN Tunnel from dropping down connetion?
--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --
I've setup a PIX-to-PIX Tunnel using Ipsec to connect a remote office to the central site. It will be used mainly to give users access to an Exchange server and a iSeries as400 server. Nowadays I'm testing the connetion before implementing it and I've noticed that the tunnel drops the connetion very often and that's not good at all for client access screens because they need to have permanent connetion.
The point is, how can I avoid the Ipsec VPN Tunnel from dropping down the connetion? If it coudn't be done, I would like to now how to maintain the line up as long time as possible.
I'm putting the configuration down so you can help me. THANK YOU ALL in advance...
Firewall(config)# sh conf
: Written by enable_15 at 09:04:31.242 CEDT Thu Jun 26 2003
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
name XXX.XXX.XXX.XXX POLINYA
access-list outside_access_in permit gre any host 10.0.0.10
access-list outside_access_in permit tcp any host 10.0.0.10 eq 1723
access-list outside_access_in permit tcp any host 10.0.0.10 eq smtp
access-list outside_access_in permit tcp any host 10.0.0.10 eq pop3
access-list outside_access_in permit icmp any any
access-list inside_access_in permit ip any any
access-list inside_access_in permit tcp any any
access-list inside_access_in permit icmp any any
access-list inside_access_in permit udp any any
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.11.0 255.255.255.0
Re: How to avoid Ipsec VPN Tunnel from dropping down connetion?
The PIX's shouldn't be dropping the tunnel out continuously. They will rebuild the tunnel every 8 hours by default, but if traffic is flowing then you shouldn't even notice it.
You might want to check and make sure you're not having connectivity issues between the two devices that is causing the tunnel to drop. Try pinging the outside interface on one PIX from a host behind the other constantly, when the tunnel drops out see if the pings stop as well, this will point you to where the problem lies.
Alternatively, you can run "debug cry ipsec" and "debug cry isa" on the PIX and it will show you when the tunnel drops out and should give you a good reason why (look for timeout messages).
You might want to enable keepalives over the tunnel so if one end does drop out the tunnel will be rebuilt quicker. The command is:
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...