Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN timeout?

Status
Not open for further replies.
tonymullen

tonymullen

MIS
Jan 3, 2003
68
GB
Hi, I'm wondering if someone can help...

I've got a pix 515 and a pix 501 that share the same subnet for their outside interfaces. I've set a vpn up between the two of them which worked great for a couple of weeks.

Now all of a sudden, the vpn seems to drop for a period of time so a ping -t to the other internal network range returns about 100 successes, and then around 100 fails (I'm not sure if these times are exact or not they are just estimates) before another 100 successes. This cycle just keeps on repeating.

When it fails then a sh crypto isakmp sa still shows that the tunnel is up but no traffic can flow. A sh crypto ipsec sa also shows that the tunnel is up (there are a couple of send errors but they don't seem to be going up - the current number is 3 and this has been going on for a couple of days).

I'm really confused. I've set the logging to notifications on the 501 (I'm reluctant to do this on the 515 due to the amount of traffic flowing through it) and I can't see any issues relating to the vpn.

Has anyone come accross anything like this and more importantly how do you fix it? Any pointers greatly apreciated

Tony
 
Sort by date Sort by votes
No specific solution for you but: Have you determined how far the traffic is getting, if anywhere? You said there were no errors, but are the packet counts incrementing when you do a sho cry ip sa? On both devices in and out?
Have you tried enabling debug icmp trace to see the ICMP packets?
Are the access lists incrementing? Put in a separate line for ICMP to isolate the traffic if need be. Inside-out access list to see traffic counts and help debug if you do not have one.
 
Upvote 0 Downvote
thanks for the reply. icmp access list is incrementing (I only added it for the purposes of testing so its on its own line).

debug icmp trace gives echo request, echo reply when working and then the reply just stops. I can't do that command on the other firewall unless i want to dos it!

packet counts are incrementing on sh crypto ipsec sa. And the ecrypt packet counts are also incrementing. Its as if the tunnel is still up but all traffic stops flowing.... I'm thinking that it might be a good old fashioned reinitialising of the system over the weekend to see if that fixes it. While I'm at it, I might upgrade the ios to see if that helps but I'm really confused with it as I made no changes from what was a working config last week.

Tony
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
842
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
355
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
1K
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
284
WhosYourDiffie
WhosYourDiffie
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
226
ITSUPPORTIT
ITSUPPORTIT

Part and Inventory Search

Sponsor

Back
Top