Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN 3000 to PIX - IP Conflict messages - IP Pool depletion

The scenario looks like this:

VPN-Client

|

|

Internet

|

|

Cisco VPN 3000 Concentrator Version 3.6.5

|

|

PIX 415 firewall

I have setup an IP pool on the VPN Concentrator and allocated it to a Group. All works well if the Pix is disconnected and a IPsec tunnel succeeds. As soon as the Pix is reconnected the available IP's in the pool are depleted (Sequential "IP Conflict" message for each pool address in VPN 3000 syslog) and reconnection fails. Take the PIX out and all is well again! There are no other hosts on the private VPN back LAN. Replace the PIX with a host laptop and all work well.

Help appreciated.

3 REPLIES
Cisco Employee

Re: VPN 3000 to PIX - IP Conflict messages - IP Pool depletion

Sounds weird. Do you have any static's in the PIX for the 3000 IP pool range? If so, the PIX is probably proxy arp'ing for them, but I didn't actually think the 3000 checked to see if something else had that address before allocating one to a client, but maybe it does.

On the PIX try turning off proxy-ARP'ing and see if that resolves it.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/s.htm#xtocid25

New Member

Re: VPN 3000 to PIX - IP Conflict messages - IP Pool depletion

There are no static's in the PIX for the 3000 IP pool range. I also suspected proxy arp but from the VPN 3000. I get can ping the interface of the pix but get no response for a pool address. I guess this indicates the Pix is not proxy arping. I await a sniffer trace today to see what's going twix VPN 3000 and Pix!

Thanks

New Member

Re: VPN 3000 to PIX - IP Conflict messages - IP Pool depletion

Seems proxy arp was the problem! On by default on the Pix - has been disabled with

#sysopt noproxyarp

Assuming the VPN 3000 does arp out before assigning address from IP pool. FYI - In this case the VPN 3000 interface address is within the IP pool range subnet.

All works well now - help appreciated!

133
Views
5
Helpful
3
Replies