cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2459
Views
0
Helpful
5
Replies

Site to Site IPSEC VPN Drops intermittently

eoin
Level 1
Level 1

Site to Site IPSEC VPN Drops intermittently

I'm currently having a problem with a Site to Site VPN not passing traffic intermittently. When the problem occurs I cannot Ping from the remote site to the HQ Site. But I can resolve the problem by Pinging from the Hq to the Remote Site. My network is currently setup as follows

-------HQ------

Pix 515 Version 7.0(4) with 4 port Ethernet card.

Outside interface connected to DSL Broadband link.

Outside2 Interface connected to Second DSL Broadband link

-------Remote--------

I have 4 remote Sites. 2 sites connect to each Broadband connection at the HQ to spread the load at the HQ

Pix 501 version 6.3(5)

####### The Problem #######

All VPN's successfully establishes to the HQ Pix

Intermittently a remote site will report that they cannot connect to any servers/services in the HQ. When I do a show ipsec crypto sa and show crypto isakmp sa at the HQ there is no entries for the remote site. However when I do the same on the remote site there is an entry for the HQ. With debugging on the remote site pix I try to ping from a pc to the HQ Server and I get the following (see below). If I do a 'clear crypto ipsec Isakmp sa' and 'clear crypto ipsec sa' on the remote site pix I can then successfully ping all servers in the HQ.

This problem seem to have only occurred when I upgraded the pix from a 501 to 515 and added another 2 remote sites and a second Broadband connection as described above. I am worried that this is a problem with a Pix version 7 software. Any advice would be greatly appreciated.

Carrick-PIX01(config)# logging console 7

Carrick-PIX01(config)# ter mon

Carrick-PIX01(config)# exit

Carrick-PIX01# debug crypto ipsec

Carrick-PIX01# debug crypto isakmp

Carrick-PIX01#

ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3

ISAKMP (0): beginning Main Mode exchange

ISAKMP (0): retransmitting phase 1 (0)...

ISAKMP (0): retransmitting phase 1 (1)...

ISAKMP (0): retransmitting phase 1 (2)...

Carrick-PIX01#

Carrick-PIX01#

ISAKMP (0): retransmitting phase 1 (3)...

Carrick-PIX01#

Carrick-PIX01#

ISAKMP (0): retransmitting phase 1 (4)...IPSEC(key_engine): request timer fired: count = 1,

(identity) local= IP-EXTERNAL, remote= 86.43.74.16,

local_proxy= LAN-OFFICE/255.255.255.0/0/0 (type=4),

remote_proxy= 194.x.x.x.x.255.0/0/0 (type=4)

ISAKMP (0): deleting SA: src IP-EXTERNAL, dst 86.43.74.16

ISADB: reaper checking SA 0x10c167c, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 86.43.74.16/500 not found - peers:1

ISADB: reaper checking SA 0x10ca914, conn_id = 0

1 Accepted Solution

Accepted Solutions

attrgautam
Level 5
Level 5

Can you force the ISAKMP Keepalive, IPSec SA Idle time to some value either side. That should solve the issue

crypto isakmp keepalive 30

crypto ipsec security-association idletime 60

Let me know if this helps

View solution in original post

5 Replies 5

attrgautam
Level 5
Level 5

Can you force the ISAKMP Keepalive, IPSec SA Idle time to some value either side. That should solve the issue

crypto isakmp keepalive 30

crypto ipsec security-association idletime 60

Let me know if this helps

Thanks for teh information.

However I cannot find the command

crypto ipsec security-association idletime 60

on either the 7.0(4) or 6.3(5) versions of Pix

See if this helps crypto ipsec security-association lifetime

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a6.html#wp1026972. More info on this link

Guess Idle Life can be specified in routers only

out of curiousity, is your issue solved ?

Hi,

Sorry for the delay in replying.

This seems to have resolved my problem. It has been a week since it has happen last. the only ccommand I used was

isakmp keepalive 10 2

on both HQ site and Remote site. The only explanation I can this of is that there is some sort of bug in the version 7 software which was casuing this problem. I never had this problem up until I replaced the HQ site's pix from a 506 to a 515 with version 7 software.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: