Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Static routes on a PIX

Hello,

Ive got a PIX-535, the inside interface is connected to arouter which then accesses internal networks on many 10.X.X.X subnets.

The VPN tunnel connects to a server on a remote LAN who's IP address is 10.10.1.35

The table looks like this

route inside 10.0.0.0 255.0.0.0 10.7.225.1 1

route outside 0.0.0.0 0.0.0.0 194.75.139.226 1

route outside 10.10.1.35 255.255.255.255 194.75.139.226 1

I've a local server on the DMZ which is continually PINGing the remote server.

It works very intermittently, sometimes the local server receives a 'network unreachable' message from the router on the inside.

I think the VPN tunnel is disconnecting (a keepalive issue on the remote ISA server perhaps)

Is the route in the table only valid if the VPN tunnel is up, even though the next hop is always present?

Any help appreciated

Regards Tony

7 REPLIES
Gold

Re: Static routes on a PIX

i would think that the more specific route should take precedence, thus the "route outside 10.10.1.35 255.255.255.255 194.75.139.226" should always be the route. i feel that pix doesn't have the intelligent to determine whether the next hop is dead or not and then decide where to forward the packet.

it maybe useful to do a traceroute from the dmz server to 10.10.1.35 multiple times for a certain period.

also, just wondering whether the dmz server has been included as part of the no_nat and crypto acl for the lan-lan vpn.

New Member

Re: Static routes on a PIX

Hi Jack,

Many thanks for the reply.

Yeap the DMZ server is included in both the nonat and VPN access lists, I'm starting to think it only uses the best match if the VPN tunnel is up.

Cheers Tony

Gold

Re: Static routes on a PIX

just wondering if you have done the tracert, as it may indicate the actual traffic flow with vpn on and off.

New Member

Re: Static routes on a PIX

Hi, we did try a tracert but the PIX doesn't respond, actually the inside router does send back a host unreachable so the PIX is sending the PINGs via the inside interface rather than down the VPN tunnel though the outside interface.

Its strange as its intermittent.

Cheers Tony

Silver

Re: Static routes on a PIX

Tony,

A long shot, but I wonder if this may be caused by Proxy ARP, it runs by default on both the PIX and cisco routers.

See if turning it off resolves the issue.

Proxy ARP on the PIX is a sysopt command, to turn it off the command is `sysopt noproxyarp'

On the Cisco router interface, `no ip proxy-arp'

Andy

New Member

Re: Static routes on a PIX

Hello Andy,

That is an interesting command, I've added it and as yet its looking ok, many thanks

Tony

PS the tunnel drops and rebuild periodically, with the following output, any ideas? (this is a PIX to an ISA server vpn)

ISADB: reaper checking SA 0x3cd1be4, conn_id = 0

crypto_isakmp_process_block:src:Ext_IP, dest:PIX_Ext_IP spt:500

dpt:500

ISAKMP (0): processing DELETE payload. message ID = 1601939786, spi size = 4IPSE

C(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

map_free_entry: freeing entry 3

CRYPTO(epa_release_conn): released conn 3

VPN Peer: IPSEC: Peer ip:Ext_IP/500 Decrementing Ref cnt to:2 Total V

PN Peers:1map_free_entry: freeing entry 4

CRYPTO(epa_release_conn): released conn 4

VPN Peer: IPSEC: Peer ip:Ext_IP/500 Decrementing Ref cnt to:1 Total V

PN Peers:1

return status is IKMP_NO_ERR_NO_TRANS

ISAKMP (0): beginning Quick Mode exchange, M-ID of 966977883:39a2e95bIPSEC(key_e

ngine): got a queue event...

IPSEC(spi_response): getting spi 0xf58180fc(4118905084) for SA

from Ext_IP to PIX_Ext_IP for prot 3

(builds a new tunnel)

Silver

Re: Static routes on a PIX

I found running proxy arp (default condition) can lead to some odd connection problems, so as its normally not needed I turn it off.

As for the tunnel drops, over what time period do they drop, there are timers on the IPSec SA which time out, for instance the default setting for the PIX IPSec SA is 8 hours.

Andy

312
Views
0
Helpful
7
Replies
CreatePlease login to create content