PIX 501 to VPN 3000 Concentrator

maraz · ‎08-27-2002

We have a problem were we seem to lose the SA between our PIX 501 and a VPN 3000 Concentrator. It seems that the PIX keeps the tunnel up but the Concentrator drops it. I provide you with info from both a pix and concentrator so you can see the differens.

Pix 501

=======

PIX501-ESKILSTUN# sh cry ips sa

interface: outside

Crypto map tag: bokiasec, local addr. 213.88.189.90

local ident (addr/mask/prot/port): (172.17.20.0/255.255.255.224/0/0)

remote ident (addr/mask/prot/port): (192.168.71.0/255.255.255.0/0/0)

current_peer: 62.95.18.163

PERMIT, flags={origin_is_acl,}

#pkts encaps: 8, #pkts encrypt: 8, #pkts digest 0

#pkts decaps: 8, #pkts decrypt: 8, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 213.88.189.90, remote crypto endpt.: 62.95.18.163

path mtu 1500, ipsec overhead 44, media mtu 1500

current outbound spi: 7069f5f1

inbound esp sas:

spi: 0x4071afba(1081192378)

transform: esp-3des ,

in use settings ={Tunnel, }

slot: 0, conn id: 17, crypto map: bokiasec

sa timing: remaining key lifetime (k/sec): (4607999/28104)

IV size: 8 bytes

replay detection support: N

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x7069f5f1(1885992433)

transform: esp-3des ,

in use settings ={Tunnel, }

slot: 0, conn id: 18, crypto map: bokiasec

sa timing: remaining key lifetime (k/sec): (4607999/28104)

IV size: 8 bytes

replay detection support: N

outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (172.17.20.0/255.255.255.224/0/0)

remote ident (addr/mask/prot/port): (192.168.72.0/255.255.255.0/0/0)

current_peer: 62.95.18.163

PERMIT, flags={origin_is_acl,}

#pkts encaps: 92384, #pkts encrypt: 92384, #pkts digest 0

#pkts decaps: 81634, #pkts decrypt: 81634, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 2, #recv errors 0

local crypto endpt.: 213.88.189.90, remote crypto endpt.: 62.95.18.163

path mtu 1500, ipsec overhead 44, media mtu 1500

current outbound spi: 1e3aa6b9

inbound esp sas:

spi: 0xd98ee147(3650019655)

transform: esp-3des ,

in use settings ={Tunnel, }

slot: 0, conn id: 9, crypto map: bokiasec

sa timing: remaining key lifetime (k/sec): (4606662/25310)

IV size: 8 bytes

replay detection support: N

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x1e3aa6b9(507160249)

transform: esp-3des ,

in use settings ={Tunnel, }

slot: 0, conn id: 10, crypto map: bokiasec

sa timing: remaining key lifetime (k/sec): (4607589/25307)

IV size: 8 bytes

replay detection support: N

outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (172.17.20.0/255.255.255.224/0/0)

remote ident (addr/mask/prot/port): (194.132.84.64/255.255.255.192/0/0)

current_peer: 62.95.18.163

PERMIT, flags={origin_is_acl,}

#pkts encaps: 571, #pkts encrypt: 571, #pkts digest 0

#pkts decaps: 556, #pkts decrypt: 556, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 2, #recv errors 0

local crypto endpt.: 213.88.189.90, remote crypto endpt.: 62.95.18.163

path mtu 1500, ipsec overhead 44, media mtu 1500

current outbound spi: 388136ef

inbound esp sas:

spi: 0xa4cee4e9(2765022441)

transform: esp-3des ,

in use settings ={Tunnel, }

slot: 0, conn id: 6, crypto map: bokiasec

sa timing: remaining key lifetime (k/sec): (4607999/24919)

IV size: 8 bytes

replay detection support: N

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x388136ef(947992303)

transform: esp-3des ,

in use settings ={Tunnel, }

slot: 0, conn id: 5, crypto map: bokiasec

sa timing: remaining key lifetime (k/sec): (4607999/24910)

IV size: 8 bytes

replay detection support: N

outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (172.17.20.32/255.255.255.240/0/0)

remote ident (addr/mask/prot/port): (192.168.71.0/255.255.255.0/0/0)

current_peer: 62.95.18.163

PERMIT, flags={origin_is_acl,}

#pkts encaps: 1, #pkts encrypt: 1, #pkts digest 0

#pkts decaps: 1, #pkts decrypt: 1, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 213.88.189.90, remote crypto endpt.: 62.95.18.163

path mtu 1500, ipsec overhead 44, media mtu 1500

current outbound spi: f7282a4

inbound esp sas:

spi: 0x146cb06d(342667373)

transform: esp-3des ,

in use settings ={Tunnel, }

slot: 0, conn id: 15, crypto map: bokiasec

sa timing: remaining key lifetime (k/sec): (4607999/28315)

IV size: 8 bytes

replay detection support: N

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xf7282a4(259162788)

transform: esp-3des ,

in use settings ={Tunnel, }

slot: 0, conn id: 16, crypto map: bokiasec

sa timing: remaining key lifetime (k/sec): (4607999/28315)

IV size: 8 bytes

replay detection support: N

outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (172.17.20.32/255.255.255.240/0/0)

remote ident (addr/mask/prot/port): (192.168.72.0/255.255.255.0/0/0)

current_peer: 62.95.18.163

PERMIT, flags={origin_is_acl,}

#pkts encaps: 68716, #pkts encrypt: 68716, #pkts digest 0

#pkts decaps: 61223, #pkts decrypt: 61223, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 2, #recv errors 0

local crypto endpt.: 213.88.189.90, remote crypto endpt.: 62.95.18.163

path mtu 1500, ipsec overhead 44, media mtu 1500

current outbound spi: 3662bd6e

inbound esp sas:

spi: 0xf3ec2075(4092338293)

transform: esp-3des ,

in use settings ={Tunnel, }

slot: 0, conn id: 3, crypto map: bokiasec

sa timing: remaining key lifetime (k/sec): (4607904/24259)

IV size: 8 bytes

replay detection support: N

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x3662bd6e(912440686)

transform: esp-3des ,

in use settings ={Tunnel, }

slot: 0, conn id: 4, crypto map: bokiasec

sa timing: remaining key lifetime (k/sec): (4607954/24256)

IV size: 8 bytes

replay detection support: N

outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (172.17.20.32/255.255.255.240/0/0)

remote ident (addr/mask/prot/port): (194.132.84.64/255.255.255.192/0/0)

current_peer: 62.95.18.163

PERMIT, flags={origin_is_acl,}

#pkts encaps: 508, #pkts encrypt: 508, #pkts digest 0

#pkts decaps: 492, #pkts decrypt: 492, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 2, #recv errors 0

local crypto endpt.: 213.88.189.90, remote crypto endpt.: 62.95.18.163

path mtu 1500, ipsec overhead 44, media mtu 1500

current outbound spi: 329790e

inbound esp sas:

spi: 0xd6d85385(3604501381)

transform: esp-3des ,

in use settings ={Tunnel, }

slot: 0, conn id: 13, crypto map: bokiasec

sa timing: remaining key lifetime (k/sec): (4607999/25086)

IV size: 8 bytes

replay detection support: N

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x329790e(53049614)

transform: esp-3des ,

in use settings ={Tunnel, }

slot: 0, conn id: 14, crypto map: bokiasec

sa timing: remaining key lifetime (k/sec): (4607999/25086)

IV size: 8 bytes

replay detection support: N

outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (172.17.20.48/255.255.255.240/0/0)

remote ident (addr/mask/prot/port): (192.168.71.0/255.255.255.0/0/0)

current_peer: 62.95.18.163

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 213.88.189.90, remote crypto endpt.: 62.95.18.163

path mtu 1500, ipsec overhead 44, media mtu 1500

current outbound spi: 19d8ef2

inbound esp sas:

spi: 0x21b53b0c(565525260)

transform: esp-3des ,

in use settings ={Tunnel, }

slot: 0, conn id: 20, crypto map: bokiasec

sa timing: remaining key lifetime (k/sec): (4607998/28568)

IV size: 8 bytes

replay detection support: N

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x19d8ef2(27102962)

transform: esp-3des ,

in use settings ={Tunnel, }

slot: 0, conn id: 19, crypto map: bokiasec

sa timing: remaining key lifetime (k/sec): (4608000/28568)

IV size: 8 bytes

replay detection support: N

outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (172.17.20.32/255.255.255.240/0/0)

remote ident (addr/mask/prot/port): (62.95.31.224/255.255.255.224/0/0)

current_peer: 62.95.18.163

PERMIT, flags={origin_is_acl,}

#pkts encaps: 1941, #pkts encrypt: 1941, #pkts digest 0

#pkts decaps: 1817, #pkts decrypt: 1817, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 213.88.189.90, remote crypto endpt.: 62.95.18.163

path mtu 1500, ipsec overhead 44, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (172.17.20.48/255.255.255.240/0/0)

remote ident (addr/mask/prot/port): (192.168.72.0/255.255.255.0/0/0)

current_peer: 62.95.18.163

PERMIT, flags={origin_is_acl,}

#pkts encaps: 47942, #pkts encrypt: 47942, #pkts digest 0

#pkts decaps: 46781, #pkts decrypt: 46781, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 5, #recv errors 0

local crypto endpt.: 213.88.189.90, remote crypto endpt.: 62.95.18.163

path mtu 1500, ipsec overhead 44, media mtu 1500

current outbound spi: 3534ac6c

inbound esp sas:

spi: 0xef3fbcb4(4013931700)

transform: esp-3des ,

in use settings ={Tunnel, }

slot: 0, conn id: 1, crypto map: bokiasec

sa timing: remaining key lifetime (k/sec): (4607828/23729)

IV size: 8 bytes

replay detection support: N

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x3534ac6c(892644460)

transform: esp-3des ,

in use settings ={Tunnel, }

slot: 0, conn id: 2, crypto map: bokiasec

sa timing: remaining key lifetime (k/sec): (4607962/23729)

IV size: 8 bytes

replay detection support: N

outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (172.17.20.48/255.255.255.240/0/0)

remote ident (addr/mask/prot/port): (194.132.84.64/255.255.255.192/0/0)

current_peer: 62.95.18.163

PERMIT, flags={origin_is_acl,}

#pkts encaps: 407, #pkts encrypt: 407, #pkts digest 0

#pkts decaps: 382, #pkts decrypt: 382, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 2, #recv errors 0

local crypto endpt.: 213.88.189.90, remote crypto endpt.: 62.95.18.163

path mtu 1500, ipsec overhead 44, media mtu 1500

current outbound spi: 5071a644

inbound esp sas:

spi: 0x89c958e3(2311674083)

transform: esp-3des ,

in use settings ={Tunnel, }

slot: 0, conn id: 11, crypto map: bokiasec

sa timing: remaining key lifetime (k/sec): (4607999/26404)

IV size: 8 bytes

replay detection support: N

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x5071a644(1349625412)

transform: esp-3des ,

in use settings ={Tunnel, }

slot: 0, conn id: 12, crypto map: bokiasec

sa timing: remaining key lifetime (k/sec): (4607999/26404)

IV size: 8 bytes

replay detection support: N

outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (172.17.20.48/255.255.255.240/0/0)

remote ident (addr/mask/prot/port): (62.95.31.224/255.255.255.224/0/0)

current_peer: 62.95.18.163

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 213.88.189.90, remote crypto endpt.: 62.95.18.163

path mtu 1500, ipsec overhead 0, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (172.17.20.0/255.255.255.224/0/0)

remote ident (addr/mask/prot/port): (62.95.31.224/255.255.255.224/0/0)

current_peer: 62.95.18.163

PERMIT, flags={origin_is_acl,}

#pkts encaps: 2835, #pkts encrypt: 2835, #pkts digest 0

#pkts decaps: 2758, #pkts decrypt: 2758, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 2, #recv errors 0

local crypto endpt.: 213.88.189.90, remote crypto endpt.: 62.95.18.163

path mtu 1500, ipsec overhead 44, media mtu 1500

current outbound spi: 19c87eee

inbound esp sas:

spi: 0x6ac0010f(1790968079)

transform: esp-3des ,

in use settings ={Tunnel, }

slot: 0, conn id: 7, crypto map: bokiasec

sa timing: remaining key lifetime (k/sec): (4607956/25741)

IV size: 8 bytes

replay detection support: N

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x19c87eee(432570094)

transform: esp-3des ,

in use settings ={Tunnel, }

slot: 0, conn id: 8, crypto map: bokiasec

sa timing: remaining key lifetime (k/sec): (4607970/25741)

IV size: 8 bytes

replay detection support: N

outbound ah sas:

outbound pcp sas:

VPN 3000

========

Connection Name IP Address Protocol Encryption Login Time Duration Bytes Tx Bytes Rx

Eskilstuna - H Sandbergs 213.88.189.90 IPSec/LAN-to-LAN 3DES-168 Aug 19 14:25:57 0:13:17 1680 560

IKE Sessions: 1

IPSec Sessions: 3

IKE Session

Session ID 1 Encryption Algorithm 3DES-168

Hashing Algorithm MD5 Diffie-Hellman Group Group 2 (1024-bit)

Authentication Mode Pre-Shared Keys IKE Negotiation Mode Main

Rekey Time Interval 600 seconds

IPSec Session

Session ID 2 Remote Address 172.17.20.32/0.0.0.15

Local Address 192.168.71.0/0.0.0.255 Encryption Algorithm 3DES-168

Hashing Algorithm None Encapsulation Mode Tunnel

Rekey Time Interval 28800 seconds

Bytes Received 280 Bytes Transmitted 280

IPSec Session

Session ID 3 Remote Address 172.17.20.0/0.0.0.31

Local Address 192.168.71.0/0.0.0.255 Encryption Algorithm 3DES-168

Hashing Algorithm None Encapsulation Mode Tunnel

Rekey Time Interval 28800 seconds

Bytes Received 280 Bytes Transmitted 280

IPSec Session

Session ID 4 Remote Address 172.17.20.48/0.0.0.15

Local Address 192.168.71.0/0.0.0.255 Encryption Algorithm 3DES-168

Hashing Algorithm None Encapsulation Mode Tunnel

Rekey Time Interval 28800 seconds

Bytes Received 0 Bytes Transmitted 1120

rader19 · ‎08-27-2002

Hi ROBERT MARAS,

At my company we have serveral 501 PIXs connecting to our Cisco Concentrator. I have a couple questions for you. What is the version running on PIX? Also are you doing LAN-to-LAN in the concentrator? If you could send me the PIX config. I think I may be able to help.

maraz · ‎09-02-2002

Hello,

The version is provided below and yes, we are doing LAN-to-LAN. Here comes the config:

PIX Version 6.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname PIX501-HALMSTAD

domain-name nisse.se

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

no fixup protocol skinny 2000

names

pager lines 24

logging on

logging timestamp

logging buffered debugging

logging trap debugging

logging history debugging

logging queue 4096

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x 255.255.255.248

ip address inside 172.17.56.1 255.255.255.192

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt ipsec pl-compatible

no sysopt route dnat

crypto ipsec transform-set halmstadipsec esp-3des

crypto map nissesec 10 ipsec-isakmp

crypto map nissesec 10 match address 101

crypto map nissesec 10 set peer x.x.x.x

crypto map nissesec 10 set transform-set halmstadipsec

crypto map nissesec interface outside

isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 600

telnet timeout 5

ssh timeout 5

terminal width 80

Nelson Rodrigues · ‎10-13-2002

Robert, there's a bug with VPN3000-PIX-501 (EZ VPN connection) where the IKE/Phase 1 rekeying kills the tunnel (data will reconnect it again). Not sure if LAN-LAN has the same issue or if this is your case specifically.

I see you IKE rekey is 10 minutes and IPSec rekey=24hrs.When /how often is your tunnel coming down? In general, IPSec should have a lower rekey interval than IKE...You want to to rekey the data more often ,that is.

Can you post the VPN 3000 Log for at least 2 tunel failures?

Thanks.

Nelson