Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Intermittent Connection Issue

Since upgrading to version 7.0(2) from 6.3 on a PIX 525 our site VPN has been experiencing a strange intermittent issue that I can find no known cause. Clients are able to connect to the PIX, authenticate, and connect to the internal network without any problems most of the time. However, every once in a while (its happened three times in the past seven months) clients are able to authenticate but unable to connect to the internal network. If the client machine does an nslookup on internal only servers they are given proper ip addresses. However, they are unable to access any internal resources.

I have determined that if I add a command like the following:

access-list vpnlist extended permit ip internal ipaddr mask vpnpoolipaddr mask

Save the configuration, delete the command above and resave the configuration clients are able to again access the internal network like they're supposed to.

Please note my solution: add a rule, save, delete the rule, and save such that in effect there has been no overall configuration change. This seems to work fine for a while until the next time the vpn "freezes up".

Any input into this situation would be greatly appreciated.


New Member

Re: Intermittent Connection Issue

Might be a misconfiguration issue.

1)Make sure your ip local pool does not overlap your internal network. Is there enought ip's for every single user connecting to the pix?

2)Make sure nonat is enable:

eg nat (inside) 0 access-list vpn-nonat

access-list vpn-nonat permit ip ip_internal_network mask ip_local_pool mask

How about the following commands on the pix:

"clear isakmp sa"

"clear ipsec sa"


New Member

Re: Intermittent Connection Issue

Also check for isakmp/ipsec (phase 1 and 2) parameters changes from the previous version.