networking-forum.com
Community BlogCommunity Wiki * Register  * Search  * Login
View unanswered postsView active topics

Board index » Cisco Networking » Cisco Security

All times are UTC - 6 hours [ DST ]


Post new topic Reply to topic  Page 1 of 1
  [ 3 posts ] 
  Print view Previous topic | Next topic 
Author Message
AWilderbeast
PostPosted: Wed Jun 13, 2012 10:08 am 
Offline
Ultimate Member
Ultimate Member

Joined: Mon Oct 20, 2008 3:49 am
Posts: 726
Location: Hull
Certs: CCNA,CCNA - Securtiy, MCITP EA
Hi all,

We have a few users connecting to another companies Firewall using the Cisco VPN Client, we are pretty sure our PIX (sat at the edge of our network) is causing issues whereby after an unknown amount of time the VPN client will timeout and lose connectivity.

I did outputted some level 7 debug to syslog and I cannot see anything that happens during the time he has lost connectivity

I can see his RDP packets getting denied to the remote ends private IP address but nothing that shows a denial or a drop of anything from our pix.

We are sure its this pix as we used to connect via a different route and a different pix and it never dropped

any ideas?
protocols, anything?

Thanks

_________________
CCNA, CCNA Security
Top
 Profile  
 
mynd
PostPosted: Wed Jun 13, 2012 11:42 am 
Offline
Senior Member
Senior Member
User avatar

Joined: Fri Jul 23, 2010 9:43 am
Posts: 337
Location: Central Ohio
Certs: A+, Net+, Sec+, Server+
Could be happening during the rekey of the IPSec tunnel. You can ask the other company what they have the rekey time set to and see if the VPN loses connectivity about the same time. If this is true, and iirc, the VPN server will initialize the rekey, so the PIX may be blocking it due to not having a valid connection attempt from internal. In other words, the PIX may not be expecting the traffic from outside, since it does not have a valid connection to un-translate the connection to.

As for what to do:
1) Check your outside ACL to ensure UDP 4500 is permitted through (or 500 if your are not NATing)
2) Not sure if it is valid on the PIX, but on the ASA you can inspect ipsec traffic to have it pass through ACLs (inspect ipsec-pass-thru)

--Richard

_________________
http://justnetworked.wordpress.com
Top
 Profile  
 
AWilderbeast
PostPosted: Fri Jun 15, 2012 3:54 am 
Offline
Ultimate Member
Ultimate Member

Joined: Mon Oct 20, 2008 3:49 am
Posts: 726
Location: Hull
Certs: CCNA,CCNA - Securtiy, MCITP EA
the outbound acl permits this, i also read an inbound one could fix it, although it hasnt and no counters have moved on the inbound one

its fixup on the pix and apparently using that will only allow 1 person 1 connection at a time and will prevent any other vpn connectivity (site to site/inbound remote access etc) you have to disable isakmp

it seems a common thing though just google "vpn client behind pix" pages of errors from all different clients with errors going through a pix
alot of suggestions where the inbound acl which didnt work and nat traversal 20 which was already enabled
those problems where mostly "no access behind the pix" but we have access it just drops
so havent found anything as similar as our issues yet

you guys have any ideas?
Thanks

_________________
CCNA, CCNA Security
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 3 posts ] 

Board index » Cisco Networking » Cisco Security

All times are UTC - 6 hours [ DST ]

Who is online

Users browsing this forum: No registered users and 17 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group