Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Wanet Telecoms Ltd on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Limited Connectivity on PIX501-to-3005 VPN Concentrator Tunnel

Status
Not open for further replies.
sjjnks

sjjnks

MIS
May 28, 2002
10
US
I have several small branch offices doing site-to-site VPN tunnels. Three are doing PIX(501)-to-PIX(515) and seem to work fine.

Two are doing PIX(501)-to-3005 and have always done fine until recently.

The reason we want all the tunnels to terminate at the 3005 is because in the PIX-to-PIX scenario, we can't have Satellite1 talk to Satellite2. Each Satellite can only communicate with the hub. We'll eventually need the satellites to talk to each other, as well.

This works beautifully with the two satellites whose tunnels terminate on the 3005.

However, just recently, one of the satellite offices added a few nodes, to take them from 10 to 14, which includes the PIX, a server and four printers. There are eight users. If four or less are in the office, everything is fine. But if five or more are in the office, some can't get in. Evidently, no more than ten nodes can cross the tunnel at any time.

One of the users down there power-cycled the PIX and users could connect, but then they couldn't print (from the mainframe, located behind the 3005 at the hub). Or the server wouldn't respond (to attempts from outside the local LAN).

Locally, everything worked fine. They all had IPs and could hit the server and ping each other. They could print locally if they wanted to. They just couldn't get through the tunnel. Like it limited it to 10 connections.

I've verified that the PIX 501 we have is a 50-user, but I'm starting to wonder if it is a limitation in the number of IKE tunnels, which is limited to 10? That is the number of connections they can establish.

Thanks in advance.
 
Sort by date Sort by votes
K. Forget what I said.

I fought and fought to get PDM 3.0 working before finding out it was a Java issue. Been a while since I had to use it. *sigh*

Anyway, it turns out the 10 IKE Peer limitation is not the problem.

It's the 50-clients inside. Even though there are only 14 nodes internally (including the PIX itself) the thing climbs to 50. After that, no new connections can be made across the tunnel, despite their connections working locally just fine.

We even unplugged EVERY SINGLE node on their local network except the PIX and it would climb to 50 connections. Nobody was even on it!
 
Upvote 0 Downvote
While I haven't discovered the source of the problem yet, I *have* figured out how to circumvent it.

Doing a:

show local-host

revealed tons of IP addresses (clients) on the inside that didn't really exist. Apparantly, there is some virus or something causing IPs to be spoofed to gain access outside.

Entered the following:

ip verify reverse-path interface inside

to only allow "real" nodes to get out. This limited the actual licenses used to equal the number of active nodes inside the network.

Now to track down the source of the virus/worm that's generating all the bogus IPs.

Thanks to everyone for the help! ;-)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
838
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
875
intel233
intel233
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
312
Russtoleum
Russtoleum
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
370
gkittelson
gkittelson

Part and Inventory Search

Sponsor

Back
Top