Juggling a 501-501 idle VPN tunnel

Here is the config for the remote PIX 501.  I read the article that deals with 'enable or disable ISAKMP KeepAlive'.  I configured isakmp KeepAlive on the two PIX 501.  When there is no traffic, the VPN usually drops, sometimes within a few hours, sometimes within a few days.  It boils down to right upward when the remote start traffic.

But my questions are: can I configure it to always stay up?  A missed keepalive is the origin of the tunnel to deleted?  Is this how it is 501?

Thanks for all the comments.

Don - pix # sh conf
: Saved
: Written by enable_15 at 11:42:11.280 UTC Saturday, January 2, 1993
6.3 (5) PIX version
interface ethernet0 car
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the encrypted password
encrypted passwd
hostname don - pix
domain name
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
name xxx.xxx.xxx.xxx ocean-pix-outside
list-access internet-traffic permit ip 192.168.1.0 255.255.255.0 any
Allow Access-list allowed a whole icmp ping
permit access-list toOcean-nat ip 192.168.1.0 255.255.255.0 192.168.27.0 255.255
. 255.0
access-list gift-to-ocean-vpn ip 10.10.3.0 allow 255.255.255.0 192.168.27.0 255.
255.255.0
pager lines 24
ICMP deny everything outside
Outside 1500 MTU
Within 1500 MTU
IP address outside dhcp setroute
IP address inside 192.168.1.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 1 list-access internet-traffic 0 0
public static 10.10.3.0 (inside, outside) access-list toOcean-nat 0 0
group-access allowed to ping in external interface
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp ocean - esp-md5-hmac
toOcean 20 ipsec-isakmp crypto map
card crypto toOcean 20 match address gift-to-ocean-vpn
card crypto toOcean 20 peers set ocean-pix-outside
Ocean toOcean 20 transform-set card crypto
toOcean interface card crypto outside
ISAKMP allows outside
ISAKMP key * address ocean-pix-outside netmask 255.255.255.255
ISAKMP keepalive 60
part of pre authentication ISAKMP policy 9
encryption of ISAKMP policy 9
ISAKMP policy 9 md5 hash
9 2 ISAKMP policy group
ISAKMP policy 9 life 86400
Telnet 192.168.1.0 255.255.255.0 inside
Telnet 192.168.27.0 255.255.255.0 inside
Telnet timeout 30
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 5
management-access inside
Console timeout 0
dhcpd address 192.168.1.2 - 192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd outside auto_config
dhcpd allow inside
Terminal width 80
Cryptochecksum:
Don - pix #.

Chris,

I couldn't be entirely on the money here.

But I believe that DPD is not sent, unless there is no traffic back for a period of time.

You should have 1 missed keepalive followed by 5 aggressive testing. If your settings there should be an interruption of the connection of some 01:10 + variance

Normally, no timeout should apply to a L2L tunnels.

If you want to see a reason for tunnel having fallen, I'm afraid it would get debugs the disconnection.

Marcin

Tags: Cisco Security

Similar Questions

  • VPN tunnel between 3 places

    Expertise of expensive

    Recently we hava configured vpn tunnel between two locations. Want to create a tunnel vpn on a third location. What configuration will be valid on the version of firewall cisco PIX 501 6.3.4.

    Please see thr existing pix config at two location.

    Please post the latest config?

  • Using the same set processing on several site to site VPN tunnels

    Hi all. I have a rather strange situation about site-to-site VPN tunnel.

    On the one hand, I have a PIX 501 and on the other end an ASA5505 and a tunnel set up between them.

    The problem is that on the side of the PIX, I can't establish a tunnel, but when the traffic starts on the side of the ASA the tunnel established as usual.

    I checked the configurations on both ends and keys, passwords, mirror that LCD seems OK. The only thing that comes to my attention, it's that I have the same set of transformation used for 2 different tunnel on the side of PIX.

    Can I use the same set of transformation on several tunnels or should I set a different transformation for each tunnel? Could be the source of the problem?

    Use it on PIX

    card crypto set pfs group2

    Or on ASA, use:

    card crypto set pfs Group1

  • life of VPN tunnel

    Hello!

    I have a question about the life of vpn tunnel. We have two pix 501. A pix has a public ip address on the external interface, the other pix has a dynamic assigned ip address on the external interface. The thing is that only one side can launch the tunnel initially, it's ok, but we don't want the tunnel ever to descend, so communication can be launched from both sides when the tunnel is up, it is very important. Is there any solution for this? / Best regards

    Try keepavlive get in place with the command function

    ISAKMP keepalive 10

    M.

  • Profile VPN (tunnel group) under the same IP pool

    Hello

    I have on my clients VPN from Cisco ASA 5510 works perfectly. The thing is that now I want to create a new profile or a tunnel in order to create the new cause of ACL I want to restrict only to certain hosts. But I don't know if I can do it under the same IP pool. If the answer is yes how could bind the new tunnel group to the correct ACL.

    This is my config:

    vpnxxxx list of allowed ip extended access all 192.168.125.0 255.255.255.0

    IP local pool ippool 192.168.125.10 - 192.168.125.254

    NAT (outside) 1 192.168.125.0 255.255.255.0

    NAT (inside) 0-list of access vpnxxxx

    RADIUS Protocol RADIUS AAA server

    RADIUS protocol AAA-server partnerauth

    AAA-server partnerauth (inside) host xxxx.xxxx.xxxx.xxxx

    key xxxx

    Crypto-map dynamic dynmap1 20 set transform-set Myset1

    lifespan 20 set security-association crypto dynamic-map dynmap1 seconds 28800

    Crypto-map dynamic dynmap1 20 kilobytes of life together - the association of safety 4608000

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    internal group RA - VPN strategy

    attributes of RA-VPN-group policy

    Server DNS 172.16.1.100 value

    VPN-idle-timeout 30

    Protocol-tunnel-VPN IPSec l2tp ipsec webvpn

    Split-tunnel-policy tunnelspecified

    type tunnel-group RA - VPN remote access

    General-attributes of RA - VPN Tunnel-group

    ippool address pool

    authentication-server-group (outside partnerauth)

    Group Policy - by default-RA-VPN

    tunnel-group RA - VPN ipsec-attributes

    pre-shared-key *.

    Thank you

    The command is "vpn-filter" in the Group Policy section.

    Define a group policy for each group of tunnel and select it with 'by default-group-policy' in the section of the tunnel.

  • Keep Site to Site VPN Tunnel active for monitoring

    Hi all

    I have a configured site-to-site VPN tunnel only happen when the traffic generated from the remote peer. is it possible to keep the still active tunnel once after the tunnel is established.

    My requirement is to monitor VPN to see availability, so need to ping one of the natd(8) ip on the remote end, but it will come only when the traffic generated end peer.  currently the timers of default on SA is configured

    Help, please...

    Thank you

    Mikael

    TARGET_GP group policy attributes

    VPN-idle-timeout no

  • SBS 2008 office1 Serv2008 Office 2 need to share assets between them via a site to site VPN tunnel

    Hi all.

    I really need help on this one.

    The office 1 installer running SBS2008 Office 2 running Server 2008.

    Each firm has its own FQDN Office 1 CompanyABC 2 A_B_C of the company office.

    Each firm has its own internal IP address pool Office 1 192.168.69.xxx and office 192.168.20.xxx 2.

    Site to site VPN tunnel between 2 office routers Netgear SRX5308 1 and 2 Netgear FVS318G Office established and working.

    Each firm has its own DNS server and acts as a domain controller

    How to configure the 2 networks to see each other and be able to use assets on every network (files, printers)?

    Is it so simple that the addition of another pool internal IP for each DNS server?

    Thanks in advance for your help.

    Hello

    Your Question is beyond the scope of this community.

    I suggest that repost you your question in the Forums of SBS.

    https://social.technet.Microsoft.com/forums/en-us/home?Forum=smallbusinessserver

    "Windows Small Business Server 2011 Essentials online help"

    https://msdn.Microsoft.com/en-us/library/home-client.aspx

    TechNet Server forums.

    http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer

    See you soon.

  • LRT224 impossible to deal simultaneously with more than one VPN tunnel?

    We have configured a client to gateway VPN tunnel group and six in the tunnels of single user gateway on a LRT224. Each unique connection works perfectly using Shrew soft client. But when we try to connect with a second tunnel, the first tunnel disconnects. It seems that the LRT224 cannot process more than one VPN tunnel at the same time? Is there any configuration, that we would have missed?

    TLR log seem to indicate that the Shrew Soft customers use all 192.168.30.0 that their IP address instead of a random IP address in this range.

    Try to set each Shrew Soft client with a specific IP address in the 192.168.30.1 - 50 rank instead of ' use virtual adapter and address randomly.

  • 3500 x vpn tunnel

    I need to establish a vpn connection between my office and a computer over the internet, allowing access to the internal of the outside lan. I have a problem with my router and I am looking for a new.

    Can I use x 3500 to establish a pptp vpn tunnel or it can work only as vpn passthrough?

    This modem/router supports VPN passthrough for IPSec, PPTP and L2TP only. Try VPN Linksys Gigabit routers like the series of the LRT.

  • RV042 VPN tunnel with Samsung Ubigate ibg2600 need help

    Hi all, ok before I completely remove all of my hair, I thought stop by here and ask the volume for you all with the hope that someone can track down the problem.

    In short I am configuring a 'Gateway to gateway' vpn tunnel between two sites, I don't have access to the config of the router from Samsung, but the ISPS making sure that they followed my setup - watching newspapers RV042, I don't however see the reason for the failure - im no expert vpn...

    Sorry if the log file turns on a bit, I didn't know where the beginning and the end was stupid I know... any advice would be greatly welcomed lol.

    System log
    Current time: Fri Sep 2 03:37:52 2009 all THE Log Log Log Log VPN Firewall Access system
     
    Time
    Type of event Message
    2 sep 03:36:01 2009 value of VPN Log [Tunnel negotiation Info] Inbound SPI = c3bdba08
    2 sep 03:36:01 2009 value of outbound SPI VPN Log [Tunnel negotiation Info] = c664c1ca
    2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] > initiator send fast Mode 3rd package
    2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] Quick Mode Phase 2 SA established, IPSec Tunnel connected
    2 sep 03:36:02 2009 VPN journal Dead Peer Detection start, DPD delay = timeout = 10 sec 10 sec timer
    2 sep 03:36:02 2009 VPN received log delete SA payload: ISAKMP State #627 removal
    2 sep 03:36:02 2009 VPN Log Main Mode initiator
    2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] > Send main initiator Mode 1 package
    2 sep 03:36:02 2009 charge of VPN journal received Vendor ID Type = [Dead Peer Detection]
    2 sep 03:36:02 2009 VPN Log [Tunnel negotiation of Info]< initiator="" received="" main="" mode="" 2nd="" packet="">
    2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] > initiator send Mode main 3rd package
    2 sep 03:36:03 2009 VPN Log [Tunnel negotiation of Info]< initiator="" received="" main="" mode="" 4th="" packet="">
    2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN > main initiator Mode to send 5 packs
    2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN > initiator receive hand Mode 6 Pack
    2 sep 03:36:03 2009 log VPN main mode peer ID is ID_IPV4_ADDR: '87.85.xxx.xxx '.
    2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN Mode main Phase 1 SA established
    2 sep 03:36:03 2009 log VPN [Tunnel negotiation Info] initiator Cookies = c527 d584 595 c 2c3b
    2 sep 03:36:03 2009 log VPN [Tunnel negotiation Info] responder Cookies = b62c ca31 1a5f 673f
    2 sep 03:36:03 2009 log quick launch Mode PSK VPN + TUNNEL + PFS
    2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN > initiator send fast Mode 1 package
    2 sep 03:36:04 2009 VPN Log [Tunnel negotiation of Info]< initiator="" received="" quick="" mode="" 2nd="" packet="">
    2 sep 03:36:04 2009 value of VPN Log [Tunnel negotiation Info] Inbound SPI = c3bdba09
    2 sep 03:36:04 2009 value of outbound SPI VPN Log [Tunnel negotiation Info] = e3da1469
    2 sep 03:36:04 2009 VPN Log [Tunnel negotiation Info] > initiator send fast Mode 3rd package
    2 sep 03:36:04 2009 VPN Log [Tunnel negotiation Info] Quick Mode Phase 2 SA established, IPSec Tunnel connected
    2 sep 03:36:04 2009 VPN journal Dead Peer Detection start, DPD delay = timeout = 10 sec 10 sec timer
    2 sep 03:36:05 2009 VPN received log delete SA payload: ISAKMP State #629 removal

    PFS - off on tada and linksys router does not support the samsung lol! connected!

  • VPN connected, stream out of VPN tunnel

    I mean that we have in place of the VPN Sites manage to sites with 2 RV042 router but it seams not as I wanted. Are you sure that each transfer of data through Router 2 will go into the VPN tunnel or it shuts down the VPN tunnel. I checked the routing table and saw that:

    Sources mask Gateway Interface

    2 1 or wan wan IP 255.255.255.0 ipsec0 private

    By default 0.0.0.0 (ip wan 1 or 2) wan1 or wan2

    .........

    So what you think what sense data will pass through the line, it will go through the ipsec section or through wan1 or wan2. Ofcouse each data will pass through wan1 or wan2, but it can go inside the ipsec tunnel or ipsec outside tunnel. If she goes inside the ipsec tunnel, everything is ok, but if this isn't the case, transfer of unsecured data. I'm trying to access some website is not in private ip and it was outside ipsec tunnel go, I can capture and now that you have access.

    Why with linksys have 2 work as draytek product even photos follow:

    Can someone help me to answer this question, thank you for your attention

    1. it depends on what the tunnels of your business allows. As I've written before, there are other protocols that allows you to route traffic through the VPN tunnel. Only IPSec cannot do this. For example, if your company uses GRE over IPSec then they can route traffic through their tunnels. Your RV does not support this.

    2. If it's really plain IPSec then you cannot configure several subnets. You can try to implement the security group remote as a subnet more grand, such as 10.0.0.0/8. Of course the groups must match on both sides.

    3. If you want to route all traffic through the tunnel, and then try to set the local/remote security to 0.0.0.0/0.0.0.0 group. Maybe it works.

    The configuration of IPSec in the RV042 does not allow extremely complex configurations. It's mainly to connect two subnets between them.

  • VPN tunnel cascade w / SW NSA FWs

    Hello

    I have questions about VPN cascading between 3 firewall SonicWALL NSA. Let me explain my situation and what I want to achieve.

    As shown in the diagram above, I have 3 branches connected to the Internet, which advanced to the LAN is the NSA SW FW. There is a VPN tunnel between each site: Site_A Site_ B, Site_A Site_ C, Site_B Site_ C. The Internet of the Site A traffic is redirected to the Site B. This Site A Cross Site B to access the Internet and LAN B. Site A through C access LAN C Site.

    My question is: is it possible to remove the tunnel VPN Site_A-Site_C to and instead, through Site B to C LAN access? If so, how you can achieve this configuration?

    What worries me is the VPN tunnel options that allow you to redirect all Internet traffic or a specific destination of LAN through objects (screenshots from Site A) address:

    Without the redirection of Internet traffic, I thought about creating a group of addresses, including 2 B LAN and LAN C address objects. But I want to keep the Internet through Site B traffic redirection.

    What do you think?

    Thanks in advance for your help.

    Hello

    My comments below:

    If you route indeed all traffic from A to B, the following must fill.

    1. remove the tunnel A C

    Ok.

    2. site B will have A subnet that is defined as a local resource for C

    Do you mean this by local resource?

    3 C is going to have A subnet defined as remote resource

    Ok.

    If you route any traffic from A to B, the following must fill.

    First step would be to remove the tunnel VPN between A and C, but I guess that you have assumed that it was already done.

    1. define the C subnet as a remote resource on Site A

    Yes, like a remote network for the A - B VPN tunnel.

    2. tunnel of site B to A will need to subnet C defined as local resource

    Ok.

    3. tunnel of site B and C will need subnet defined as local resource

    Ok.

    4. the site will need to subnet C has defined as remote resource

    Yes.

    I'll do a test soon with 3 sites and see how it goes.

  • Routing access to Internet through an IPSec VPN Tunnel

    Hello

    I installed a VPN IPSec tunnel for a friend's business. At his desk at home, I installed a Cisco SA520 and at it is remote from the site I have a Cisco RVS4000. The IPSec VPN tunnel works very well. The remote site, it can hit all of its workstations and peripheral. I configured the RVS4000 working in router mode as opposed to the bridge. In the Home Office subnet is 192.168.1.0/24 while the subnet to the remote site is 192.168.2.0/24. The SA520 is configured as Internet gateway for the headquarters to 192.168.1.1. The remote desktop has a gateway 192.168.2.1.

    I need to configure the remote site so that all Internet traffic will be routed via the Home Office. I have to make sure that whatever it is plugged into the Ethernet on the RVS4000 port will have its Internet traffic routed through the Internet connection on the SA520. Currently I can ping any device on the headquarters of the remote desktop, but I can't ping anything beyond the gateway (192.168.1.1) in the Home Office.

    Any help would be greatly appreciated.

    Thank you.

    Hi William, the rvs4000 does not support the tunnel or esp transfer wild-card.

  • ASA Syslog via a VPN Tunnel

    Hi all

    I have a little problem concerning ASA and syslogs. I have a tunnel from site to site between a local ASA and ASA distance. Behind the ASA local, I have a central syslog server (which has no ASA as default gateway) which collects messages from all network devices and I want to get messages from the ASA remote as well.

    The tunnel protects traffic between local networks behind each ASA, which includes ASA inside remote interface as well. The problem is that if I specify on the SAA distance my syslog server it does not pass through the VPN tunnel. The ASA remote sees my server syslog as being 'outside' so he's using the external IP address as the source-interface for the syslog message. Which of course does not pass through the tunnel. As much as I know there is no way to configure the interface source for logging under the SAA, that you can do on a normal IOS router.

    I've found a few documents explaining this Setup on CCO, but they all imply I have extend the list for interesting traffic to access allow remote UDP/514 of the PIX traffic outside my local syslog server interface. This isn't something I want to do what I would get in routing complication in my LAN with a public IP address of the ASA remote.

    Any suggestions? I thought I could use some sort of NAT on the ASA remote so that all traffic for my local network a source the remote PIX is translated on the inside interface, which in theory should pass the package via the tunnel. I did not go so far.

    Any help is appreciated.

    Best regards

    Stefan

    You can define the interface that the ASA will use to send the newspapers "syslog_ip host record.

    Make sure you also do "access management".

    Then the SAA should source the syslogs from inside the interface, which is probably encrypted with the crypto ACL.

    I hope it helps.

    PK

  • VPN tunnel between the concentrator 3005 and router Cisco 827

    I am trying to establish a VPN tunnel between the Central Office with VPN 3005 and controller branch Cisco 827 router.

    There is a router of perimeter with access set up in front of the 3005 list.

    I quote the ACLs on the Central perimeter router instructionsuivante to allow traffic to permit ip 3005 - acl 101 all 193.188.X.X (address of the hub)

    I get the following message appears when I try to ping a local host in the Central site.

    Can Anyoune give me the correct steps to 827 and 3005.

    Thank you

    CCNP Ansar.

    ------------------------------------------------------------------------------------------------------

    Debug crypto ISAKMP

    encryption of debugging engine

    Debug crypto his

    debug output

    ------------------

    1d20h: IPSEC (sa_request):,.

    (Eng. msg key.) Local OUTGOING = 172.22.113.41, distance = 193.188.108.165.

    local_proxy = 202.71.244.160/255.255.255.240/0/0 (type = 4),

    remote_proxy = 128.128.1.78/255.255.255.255/0/0 (type = 1),

    Protocol = ESP, transform = esp - esp-md5-hmac.

    lifedur = 3600 s and KB 4608000,

    SPI = 0x83B8AC1B (2209917979), id_conn = 0, keysize = 0, flags = 0x400D

    1d20h: ISAKMP: ke received message (1/1)

    1d20h: ISAKMP: 500 local port, remote port 500

    1d20h: ISAKMP (0:1): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

    Former State = new State IKE_READY = IKE_I_MM1

    1d20h: ISAKMP (0:1): early changes of Main Mode

    1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE

    1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE...

    1d20h: ISAKMP (0:1): will increment the error counter on his: retransmit the phase 1

    1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE

    1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE

    1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE...

    1d20h: ISAKMP (0:1): will increment the error counter on his: retransmit the phase 1

    1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE

    1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE

    1d20h: IPSEC (key_engine): request timer shot: count = 1,.

    You must also allow the esp Protocol in your ACL.

    access-list 101 permit esp any host x.x.x.x (address of the hub)

    Hope this helps,

    -Nairi

Maybe you are looking for