cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
412
Views
0
Helpful
6
Replies

Pix anti-replay check

desmckee
Level 1
Level 1

I have an issue with a VPN connection to a customer firewall. Our end is dual ASA 5520s running in active/passive mode, while the far end is a Pix 506 running 6.3 SW.

When testing failover using hard ASA resets, sometimes the VPN breaks and the Pix shows anti-replay check failures ? things have got out of sequence and the Pix is rightfully dropping the packets.

The customer doesn?t like this and I'm looking for a solution.

On IOS, there is a new feature (http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455ad4.html)

That can expand the anti-replay window to 1024 packets from 64 default.

The question is is there anything similar for Pix?

Thanks a lot

6 Replies 6

nefkensp
Level 5
Level 5

If you set an isakm-keepalive on both endpoints, then both endpoints detect quite fast that the tunnel has been gone for a few seconds and then the tunnel will reestablish nicely with new sa's.

Do you have one of the firewalls behind a nat-router?

Thanks, that works fine. I should have thought of that but new to pix.

Cheer,

Des

Hi again,

I lab tested this and it worked fine, but when testing with the customer it didnt which is typical. Now, even the lab test doesnt work which i dont understand.

The Pix end doesnt seem to tear down the SAs - it appears to me that it sees the keepalives and replies happily, but the encrypted packets are still being dropped.

The debugs on the Pix show

ISAMKP (0): received DPD_R_U_THERE from peer REMOTE_ASA_GATEWAY

ISAKMP (0): sending NOTIFY message 36137 protocol 1

which looks to me like a sucessful keeplive sent and received, is that correct? These debugs repeat, followed by the Pix sending

return status is IKMP_NO_ERR_NO_TRANS

until the SAs are manually cleared. Anyone seen this before?

Thanks,

Des

Can you send me the output for

show start | include isakmp

This command outputs the startup config, but it will only show the isakmp options.

It could be that something else is playing up now. What version of PIX are you using?

The keepalives on ASA 7.0, PIX7.0 and later are configured differently

Ive just done some more testing - occasionally it tears down the SA, occasionally it doesnt. The Pix is version 6.3, while the ASAs are 7.2.2.

Pix config is

pixfirewall# sh conf | i isakmp

crypto map outside_map 20 ipsec-isakmp

isakmp enable outside

isakmp key ******** address ASA_GATEWAY_IP netmask 255.255.255.255 no-xauth no-config-mode

isakmp keepalive 10

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

Thanks

Ok, perhaps some extra testing..

Can you tell me which side initiates the teardown? Is that the PIX or the ASA?

My guess is that the pix tears down. but not the asa..

Can you issue the following command on the asa:

tunnel-group ipsec-attributes

isakmp keepalive threshold 10 retry 2

With ASA 7.x, you can set the ISAKMP keep alive per isakmp peer / tunnel-group.

Hope this helps

PJ

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: