Since upgrading to version 7.0(2) from 6.3 on a PIX 525 our site VPN has been experiencing a strange intermittent issue that I can find no known cause. Clients are able to connect to the PIX, authenticate, and connect to the internal network without any problems most of the time. However, every once in a while (its happened three times in the past seven months) clients are able to authenticate but unable to connect to the internal network. If the client machine does an nslookup on internal only servers they are given proper ip addresses. However, they are unable to access any internal resources.
I have determined that if I add a command like the following:
access-list vpnlist extended permit ip internal ipaddr mask vpnpoolipaddr mask
Save the configuration, delete the command above and resave the configuration clients are able to again access the internal network like they're supposed to.
Please note my solution: add a rule, save, delete the rule, and save such that in effect there has been no overall configuration change. This seems to work fine for a while until the next time the vpn "freezes up".
Any input into this situation would be greatly appreciated.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...