we've got a Pix 501 which creates a VPN tunnel over the Internet that terminates on a VPN3030 Concentrator. The tunnel drops a couple of times a day usually, sometimes for 20 mins or more. Between the Pix 501 and the concentrator there is a Pix 525 firewall which performs NATing.
Firstly, I'm sure that the relevant protocols must be allowed through the Pix 525 (which does the NATing) or the tunnel wouldn't come up at all would it? For information can anyone let me know exactly what to let through the 525 to the concentrator and vice versa so that I can check?
As far as I'm aware you don't need an access list on the Pix 501 as any IPSec traffic coming from the tunnel endpoint (concentrator) will be allowed in anyway (or is this only if the 'sysopt connection permit-ipsec' command is used on the Pix 501?).
Any advice would be appreciated as this problem has been going on for a long time. The concentrator software is around 2003 in case that makes a difference (though other tunnels from other remote Pix 501s seem to be fine).
Here's the Pix 501 config:
Pix# sh run
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list 119 permit ip 10.155.117.128 255.255.255.192 10.0.0.0 255.0.0.0
 did not noticed you already have keepalive configure , have you looked at the logs on either to see any relevant information as to why the tunnel drops, even look at each end internet link utilization, or phycal outside interface for packet drops, again.. on specific time of day when tunnel drops, it is possible high traffic on internet link on specific time causes keep alive misses ..
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :