ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
AWilderbeast
Ultimate Member
Posts:
800
Joined:
Mon Oct 20, 2008 3:49 am
Certs:
CCNA,CCNA - Securtiy, MCITP EA

VPN Client connects externally, our pix causing issues?

Wed Jun 13, 2012 10:08 am

Hi all,

We have a few users connecting to another companies Firewall using the Cisco VPN Client, we are pretty sure our PIX (sat at the edge of our network) is causing issues whereby after an unknown amount of time the VPN client will timeout and lose connectivity.

I did outputted some level 7 debug to syslog and I cannot see anything that happens during the time he has lost connectivity

I can see his RDP packets getting denied to the remote ends private IP address but nothing that shows a denial or a drop of anything from our pix.

We are sure its this pix as we used to connect via a different route and a different pix and it never dropped

any ideas?
protocols, anything?

Thanks
alexwilloughby.com
CCNA, CCNA Security, MCITP EA

User avatar
mynd
Ultimate Member
Posts:
881
Joined:
Fri Jul 23, 2010 9:43 am
Certs:
CCNA, A+, Net+, Sec+, Server+

Re: VPN Client connects externally, our pix causing issues?

Wed Jun 13, 2012 11:42 am

Could be happening during the rekey of the IPSec tunnel. You can ask the other company what they have the rekey time set to and see if the VPN loses connectivity about the same time. If this is true, and iirc, the VPN server will initialize the rekey, so the PIX may be blocking it due to not having a valid connection attempt from internal. In other words, the PIX may not be expecting the traffic from outside, since it does not have a valid connection to un-translate the connection to.

As for what to do:
1) Check your outside ACL to ensure UDP 4500 is permitted through (or 500 if your are not NATing)
2) Not sure if it is valid on the PIX, but on the ASA you can inspect ipsec traffic to have it pass through ACLs (inspect ipsec-pass-thru)

--Richard
http://justnetworked.wordpress.com

AWilderbeast
Ultimate Member
Posts:
800
Joined:
Mon Oct 20, 2008 3:49 am
Certs:
CCNA,CCNA - Securtiy, MCITP EA

Re: VPN Client connects externally, our pix causing issues?

Fri Jun 15, 2012 3:54 am

the outbound acl permits this, i also read an inbound one could fix it, although it hasnt and no counters have moved on the inbound one

its fixup on the pix and apparently using that will only allow 1 person 1 connection at a time and will prevent any other vpn connectivity (site to site/inbound remote access etc) you have to disable isakmp

it seems a common thing though just google "vpn client behind pix" pages of errors from all different clients with errors going through a pix
alot of suggestions where the inbound acl which didnt work and nat traversal 20 which was already enabled
those problems where mostly "no access behind the pix" but we have access it just drops
so havent found anything as similar as our issues yet

you guys have any ideas?
Thanks
alexwilloughby.com
CCNA, CCNA Security, MCITP EA

'

Return to Cisco Security

Who is online

Users browsing this forum: Bing [Bot] and 16 guests