Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pix anti-replay check

I have an issue with a VPN connection to a customer firewall. Our end is dual ASA 5520s running in active/passive mode, while the far end is a Pix 506 running 6.3 SW.

When testing failover using hard ASA resets, sometimes the VPN breaks and the Pix shows anti-replay check failures ? things have got out of sequence and the Pix is rightfully dropping the packets.

The customer doesn?t like this and I'm looking for a solution.

On IOS, there is a new feature (http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455ad4.html)

That can expand the anti-replay window to 1024 packets from 64 default.

The question is is there anything similar for Pix?

Thanks a lot

6 REPLIES
New Member

Re: Pix anti-replay check

If you set an isakm-keepalive on both endpoints, then both endpoints detect quite fast that the tunnel has been gone for a few seconds and then the tunnel will reestablish nicely with new sa's.

Do you have one of the firewalls behind a nat-router?

New Member

Re: Pix anti-replay check

Thanks, that works fine. I should have thought of that but new to pix.

Cheer,

Des

New Member

Re: Pix anti-replay check

Hi again,

I lab tested this and it worked fine, but when testing with the customer it didnt which is typical. Now, even the lab test doesnt work which i dont understand.

The Pix end doesnt seem to tear down the SAs - it appears to me that it sees the keepalives and replies happily, but the encrypted packets are still being dropped.

The debugs on the Pix show

ISAMKP (0): received DPD_R_U_THERE from peer REMOTE_ASA_GATEWAY

ISAKMP (0): sending NOTIFY message 36137 protocol 1

which looks to me like a sucessful keeplive sent and received, is that correct? These debugs repeat, followed by the Pix sending

return status is IKMP_NO_ERR_NO_TRANS

until the SAs are manually cleared. Anyone seen this before?

Thanks,

Des

New Member

Re: Pix anti-replay check

Can you send me the output for

show start | include isakmp

This command outputs the startup config, but it will only show the isakmp options.

It could be that something else is playing up now. What version of PIX are you using?

The keepalives on ASA 7.0, PIX7.0 and later are configured differently

New Member

Re: Pix anti-replay check

Ive just done some more testing - occasionally it tears down the SA, occasionally it doesnt. The Pix is version 6.3, while the ASAs are 7.2.2.

Pix config is

pixfirewall# sh conf | i isakmp

crypto map outside_map 20 ipsec-isakmp

isakmp enable outside

isakmp key ******** address ASA_GATEWAY_IP netmask 255.255.255.255 no-xauth no-config-mode

isakmp keepalive 10

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

Thanks

New Member

Re: Pix anti-replay check

Ok, perhaps some extra testing..

Can you tell me which side initiates the teardown? Is that the PIX or the ASA?

My guess is that the pix tears down. but not the asa..

Can you issue the following command on the asa:

tunnel-group ipsec-attributes

isakmp keepalive threshold 10 retry 2

With ASA 7.x, you can set the ISAKMP keep alive per isakmp peer / tunnel-group.

Hope this helps

PJ

194
Views
0
Helpful
6
Replies
CreatePlease to create content