Vpn disconnected

marcobinda · ‎02-14-2007

Hi all,

I have configured my pix 515e 7.0(4) as a VPN concentrator.

The connection works, but the VPN stays up for a period that can be

from 20 minutes to about 2 hours.

The pix interfaces are connected to a L3 switch Alcatel 7700,

802.1q vlan are configured because I have 3 ETHon the PIX and

wanted to use vlan to gain some more zone with my physical Int.

I paste the interface configuration on the PIX

****************************************************************************

interface Ethernet0

no nameif

no security-level

no ip address

!

interface Ethernet0.4094

vlan 4094

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.248 standby x.x.x.x

!

interface Ethernet1

speed 100

duplex full

no nameif

no security-level

no ip address

!

interface Ethernet1.100

vlan 100

nameif inside

security-level 100

ip address x.x.x.x 255.255.255.0 standby x.x.x.x

!

interface Ethernet2

description STATE Failover Interface

!

******************************************************************

As the VPN disconnect (reason 433 on VPN client 4.8.01.0300 )

on the pix log there is

Feb 14 2007 15:51:19: %PIX-3-713123: Group = cup_terminal, Username = TESTUSER, IP = X.X.X.X , IKE lost contact with remote peer, deleting connection (keepalive type: DPD)

Feb 14 2007 15:51:19: %PIX-4-113019: Group = cup_terminal, Username = TESTUSER, IP = X.X.X.X , Session disconnected. Session Type: IPSecOverTCP, Duration: 0h:21m:25s, Bytes xmt: 0, Bytes rcv: 0, Reason: Lost Service

Looking for a reason , what I found is:

Interface Ethernet1 "", is up, line protocol is up

Hardware is i82559, BW 100 Mbps

Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)

Available but not configured via nameif

MAC address 0017.9514.8a24, MTU not set

IP address unassigned

291476 packets input, 56333857 bytes, 0 no buffer

Received 230045 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

195560 L2 decode drops

67039 packets output, 7648949 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/6)

output queue (curr/max blocks): hardware (0/6) software (0/1)

L2 decode drops are very high on on both of the interface.

I couldn't find much about this counter, just this explanation:

L2 decode drops

The number of packets dropped because the name is not configured (nameif command)

or a frame with an invalid VLAN id is received.

Is it normal such a behaviour as I configure subinterface ?

Could it be a 802.1q problem with the switch ?

Before I change my configuration erasing subinterface, what else could I try ?

Any suggestion will be appreciated.

Thanks,

Marco.

Kamal Malhotra · ‎02-14-2007

Hi Marco,

You might want to look into things like... vpn client idle timeout, maximum connection time, increasing the keepalive interval etc.

HTH,

Kamal

marcobinda · ‎02-15-2007

Hi Kamal,

thanks for your interest.

Idle timeout and maximum connection time are

quite high, connection falls much before.

keepalive interval...what value could I try ?

I add the the configuration on the PIX, together with some debug both on the pix

and the client side.

On the client side I put a ping through the tunnel, the request timeout on the clinet happened while on the pix side

debug crypto isakmp 7

showed that it wasn't able to reach the peer.

I was trying to exclude internet problem,

what else can I do to troubleshoot ?

Marco.

acomiskey · ‎02-15-2007

I think default keepalive interval is 300 seconds for RA. But I'm not sure that necessarily explains why your dpd messages are not being replied to.