Advertisement

04.13.2007 at 03:48PM PDT, ID: 22510829
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
8.2
PIX 515 and Cisco VPN Client keep alive issues
Zones: IPSec Security Protocol, Virtual Private Networking (VPN), Cisco PIX Firewall
Tags: vpn, cisco, pix, keep, alive
I have a PIX 515E Unrestricted License located at my collocation facility.   I have remote access IPSec set up on this firewall and we use the Cisco Systems VPN Client ver. 4.8.01.0300.  I have no problems connecting and establishing my tunnel.  The problem is that anytime I am idle for more than just a few minutes my connection drops.  For me this is not a problem because when I have my tunnel open I am usually actively working throgh an RDP session, there is enough activity to keep the tunnel alive when I work this way, in fact I have never had an active tunnel drop on me.
There are a few other remote workers who have some Oracle tools loaded on a work laptop, when they work from home they are often just trying to monitor the state of some of our databases.  This connection drops on my DBA constantly.  At this point my only working work-around is to have him constantly ping a server behind my firewall (ping 192.168.xxx.xxx - t), this pings a server's internal IP address once every second and keeps the tunnel active for as long as needed.  I really don't like this workaround and am trying to fix my config so that this idle drop issue goes away.

here is some of my PIX config file:

sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp keepalive 120 25
isakmp client configuration address-pool local helm-vpn-pool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup VPNUsers address-pool helm-vpn-pool
vpngroup VPNUsers split-tunnel VPN-IN
vpngroup VPNUsers idle-time 86400
vpngroup VPNUsers max-time 86400
vpngroup VPNUsers password ********

(if i missed anything pertinent in this config let me know and I'll add more information)

I was also tring to find a way to initate a keep alive from the client side as well.  I found a document that stated I could edit the C:\Program Files\Cisco Systems\VPN Client\profiles\Profile_Name.pcf with wordpad.  Changing the line that stated ForceKeepAlives=0 to =1 was supposed to activate the client keep alive.  There was no such line in my config file so I added a ForceKeepAlives=1 statement to the end of my config and restarted the Cisco Software.  This did not seem to help at all.

I have some debug logging on my firewall, when I connect from my client I see the following output from the CLI interface of my PIX:

ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts are not acceptable.
crypto_isakmp_process_block:src:67.90.66.14, dest:xxx.yyy.zzz.84 spt:500 dpt:500
OAK_AG exchange
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
        spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with     67.90.66.14
ISADB: reaper checking SA 0x133bb3c, conn_id = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to another IOS box!
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to a Unity client
ISAKMP (0): SA has been authenticated
ISAKMP: Created a peer struct for 67.90.66.14, peer port 62465
return status is IKMP_NO_ERROR
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:67.90.66.14/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:67.90.66.14/500 Ref cnt incremented to:1 Total VPN Pee
rs:1
ISAKMP: peer is a remote access client
crypto_isakmp_process_block:src:67.90.66.14, dest:xxx.yyy.zzz.84 spt:500 dpt:500
ISAKMP_TRANSACTION exchange
ISAKMP (0:0): processing transaction payload from 67.90.66.14. message ID = 17382092
ISAKMP: Config payload CFG_REQUEST
ISAKMP (0:0): checking request:
ISAKMP: attribute    IP4_ADDRESS (1)
ISAKMP: attribute    IP4_NETMASK (2)
ISAKMP: attribute    IP4_DNS (3)
ISAKMP: attribute    IP4_NBNS (4)
ISAKMP: attribute    ADDRESS_EXPIRY (5)
        Unsupported Attr: 5
ISAKMP: attribute    UNKNOWN (28672)
        Unsupported Attr: 28672
ISAKMP: attribute    UNKNOWN (28673)
        Unsupported Attr: 28673
ISAKMP: attribute    ALT_DEF_DOMAIN (28674)
ISAKMP: attribute    ALT_SPLIT_INCLUDE (28676)
ISAKMP: attribute    ALT_SPLITDNS_NAME (28675)
ISAKMP: attribute    ALT_PFS (28679)
ISAKMP: attribute    UNKNOWN (28683)
        Unsupported Attr: 28683
ISAKMP: attribute    ALT_BACKUP_SERVERS (28681)
ISAKMP: attribute    APPLICATION_VERSION (7)
ISAKMP: attribute    UNKNOWN (28680)
        Unsupported Attr: 28680
ISAKMP: attribute    UNKNOWN (28682)
        Unsupported Attr: 28682
ISAKMP: attribute    UNKNOWN (28677)
        Unsupported Attr: 28677
ISAKMP (0:0): responding to peer config from 67.90.66.14. ID = 4291110672
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:67.90.66.14, dest:xxx.yyy.zzz.84 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 3567171031

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 256
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b IPSEC(validate_proposal) : transform proposal (prot 3, trans 12, hmac_alg 1) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (1)
ISAKMP : Checking IPSec proposal 2

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      key length is 256
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 2) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (2)
ISAKMP : Checking IPSec proposal 3

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 128
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 1) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (3)
ISAKMP : Checking IPSec proposal 4

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      key length is 128
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 2) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (4)
ISAKMP : Checking IPSec proposal 5

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 256
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 1) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 6

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      key length is 256
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 2) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 7

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 128
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): transform proposal (prot 3, trans 12, hmac_alg 1) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 8

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      key length is 128
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): transform proposal (prot 3, trans 12, hmac_alg 2) not supported
crypto_isakmp_process_block:src:67.90.66.14, dest:xxx.yyy.zzz.84 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_AUTH_AWAIT
ISAKMP (0): Creating IPSec SAs
        inbound SA from     67.90.66.14 to      xxx.yyy.zzz.84 (proxy    192.168.99.1 to         0.0.0.0)
        has spi 3971608385 and conn_id 3 and flags 4
        lifetime of 2147483 seconds
        outbound SA from      xxx.yyy.zzz.84 to     67.90.66.14 (proxy         0.0.0.0 to    192.168.99.1)
        has spi 2575934584 and conn_id 4 and flags 4
        lifetime of 2147483 secondsIPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
  (key eng. msg.) dest= xxx.yyy.zzz.84, src= 67.90.66.14,
    dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    src_proxy= 192.168.99.1/0.0.0.0/0/0 (type=1),
    protocol= ESP, transform= esp-des esp-md5-hmac ,
    lifedur= 2147483s and 0kb,
    spi= 0xecb9ef41(3971608385), conn_id= 3, keysize= 0, flags= 0x4
IPSEC(initialize_sas): ,
  (key eng. msg.) src= xxx.yyy.zzz.84, dest= 67.90.66.14,
    src_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    dest_proxy= 192.168.99.1/0.0.0.0/0/0 (type=1),
    protocol= ESP, transform= esp-des esp-md5-hmac ,
    lifedur= 2147483s and 0kb,
    spi= 0x9989a478(2575934584), conn_id= 4, keysize= 0, flags= 0x4

VPN Peer: IPSEC: Peer ip:67.90.66.14/500 Ref cnt incremented to:2 Total VPN Peers:1
VPN Peer: IPSEC: Peer ip:67.90.66.14/500 Ref cnt incremented to:3 Total VPN Peers:1
return status is IKMP_NO_ERROR
helm-pix01config#
helm-pix01config#

Then after about 5 minutes of inactivity I see the firewall send these notify messages.
In the Cisco VPN Client logs I see no sign of the client receiving these notify messages,
then the firewall drops my connection.

ISADB: reaper checking SA 0x133bb3c, conn_id = 0
ISAKMP (0): sending NOTIFY message 36136 protocol 1
ISAKMP (0): sending NOTIFY message 36136 protocol 1
ISAKMP (0): sending NOTIFY message 36136 protocol 1
ISAKMP (0): sending NOTIFY message 36136 protocol 1
ISAKMP (0): DPD: peer not responding!
ISAKMP (0): deleting IPSEC SAs with peer at 67.90.66.14IPSEC(key_engine): got a
queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with     67.90.66.14

VPN Peer: IPSEC: Peer ip:67.90.66.14/500 Decrementing Ref cnt to:2 Total VPN Peers:1
VPN Peer: IPSEC: Peer ip:67.90.66.14/500 Decrementing Ref cnt to:1 Total VPN Peers:1
ISAKMP (0): deleting SA: src 67.90.66.14, dst xxx.yyy.zzz.84
ISADB: reaper checking SA 0x133bb3c, conn_id = 0  DELETE IT!

VPN Peer: ISAKMP: Peer ip:67.90.66.14/500 Ref cnt decremented to:0 Total VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:67.90.66.14/500 Total VPN peers:0IPSEC(key_en
gine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with     67.90.66.14


Once the firewall drops the client, if I attempt to ping anything that should be inside the tunnel
it just times out and I see the following in my firewall

crypto_isakmp_process_block:src:67.90.66.14, dest:xxx.yyy.zzz.84 spt:500 dpt:500
ISAKMP: sa not found for ike msg

crypto_isakmp_process_block:src:67.90.66.14, dest:xxx.yyy.zzz.84 spt:500 dpt:500
ISAKMP: sa not found for ike msg

crypto_isakmp_process_block:src:67.90.66.14, dest:xxx.yyy.zzz.84 spt:500 dpt:500
ISAKMP: sa not found for ike msg

crypto_isakmp_process_block:src:67.90.66.14, dest:xxx.yyy.zzz.84 spt:500 dpt:500
ISAKMP: sa not found for ike msg

Then a few moments later on the client side I will get an error stating:

Secure VPN Connection terminated by the client.
Reason 412: The remote peer is no longer responding

Can anyone see something wrong with my PIX config or know of some other way to make an idle IPSec tunnel stay alive without having to ping a host behind my firewall?

jmdowling
Start your free trial to view this solution
Question Stats
Zone: Networking
Question Asked By: jmdowling
Solution Provided By: batry_boy
Participating Experts: 2
Solution Grade: B
Views: 236
Translate:
Loading Advertisement...
04.13.2007 at 06:39PM PDT, ID: 18909415

Rank: Sage

batry_boy:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
04.14.2007 at 11:54AM PDT, ID: 18911563

Rank: Genius

lrmoore:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
04.23.2007 at 01:07PM PDT, ID: 18961153
jmdowling:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 
Loading Advertisement...
Microsoft
  • Internet Protocols
  • Applications
  • Development
  • OS
  • Hardware
  • Windows Security
Apple
  • Operating Systems
  • Hardware
  • Programming
  • Networking
  • Software
Internet
  • Search Engines
  • File Sharing
  • WebTrends / Stats
  • Spy / Ad Blockers
  • Web Browsers
  • New Net Users
  • Web Development
  • Chat / IM
  • Anti Spam
  • Web Servers
  • Anti-Virus
  • Email Clients
Gamers
  • Tips
  • Online / MMORPG
  • Puzzle
  • Emulators
  • Action / Adventure
  • Role Playing
  • Consoles
  • Game Programming
  • Strategy
  • Sports
  • Misc
  • Computer Games
Digital Living
  • Hardware
  • New Net Users
  • New Users
  • Software
  • Digital Music
  • Gaming World
  • Home Security
  • Apple
  • Networking Hardware
Virus & Spyware
  • Vulnerabilities
  • IDS
  • Encryption
  • Anti-Virus
  • Operating Systems Security
  • Software Firewalls
  • WebApplications
  • Cell Phones
  • Operating Systems
  • Internet
  • Hardware Firewalls
Hardware
  • Handhelds / PDAs
  • Displays / Monitors
  • Components
  • Networking Hardware
  • Peripherals
  • Laptops/Notebooks
  • Storage
  • Servers
  • Desktops
  • New Users
  • Misc
  • Apple
Software
  • System Utilities
  • Industry Specific
  • Network Management
  • Photos / Graphics
  • Page Layout
  • VMWare
  • Misc
  • Web Development
  • OS
  • CYGWIN
  • Voice Recognition
  • Message Queue
  • Quality Assurance
  • Security
  • Firewalls
  • MultiMedia Applications
  • Development
  • Database
  • Office / Productivity
  • Business Management
  • OS/2 Apps
  • Server Software
  • Internet / Email
ITPro
  • OS
  • Storage
  • Encryption
  • Operating Systems Security
  • Apple Hardware
  • Laptops & Notebooks
  • Servers
  • Networking Hardware
  • Peripherals
  • Devices
  • Displays / Monitors
  • WebTrends / Stats
  • Search Engines
  • Firewalls
  • WebApplications
  • IDS
  • Vulnerabilities
  • Email Clients
  • File Sharing
  • Spy / Ad Blockers
  • Web Browsers
  • Web Servers
  • Networking
  • Anti-Virus
  • Chat / IM
  • Anti Spam
Developer
  • Web Servers
  • Web Browsers
  • Game Programming
  • Dev Tools
  • Industry Specific
  • Office / Productivity
  • Database
  • CYGWIN
  • Web Development
  • Search Engines
  • File Sharing
  • WebTrends / Stats
  • Programming
  • Content Management
  • Application Servers
  • Protocols
Storage
  • Removable Backup Media
  • Storage Technology
  • Servers
  • Grid
  • Remote Access
  • Backup / Restore
  • Misc
  • Hard Drives
OS
  • Miscellaneous
  • Security
  • Development
  • Linux
  • VMWare
  • MainFrame OS
  • Unix
  • Apple
  • OS / 2
  • AS / 400
  • BeOS
  • Microsoft
  • VMS / OpenVMS
Database
  • Oracle
  • Miscellaneous
  • MySQL
  • Software
  • Sybase
  • Contact Management
  • PostgreSQL
  • Data Manipulation
  • Clarion
  • InterSystems Cache
  • Siebel
  • MUMPS
  • OLAP
  • SQLBase
  • SAS
  • GIS & GPS
  • 4GL
  • Berkeley DB
  • DB2
  • Informix
  • Interbase / Firebird
  • FoxPro
  • Reporting
  • LDAP
  • Filemaker Pro
  • MS SQL Server
  • dBase
  • MS Access
Security
  • Misc
  • Web Browsers
  • Software Firewalls
  • Operating Systems Security
  • File Sharing
  • Spy / Ad Blockers
  • Vulnerabilities
  • WebApplications
  • IDS
  • Anti-Virus
  • Encryption
  • Anti Spam
  • Email Clients
  • VPN
  • Chat / IM
Programming
  • Editors IDEs
  • Installation
  • Handhelds / PDAs
  • Multimedia Programming
  • System / Kernel
  • Algorithms
  • Game
  • Signal Processing
  • Project Management
  • Open Source
  • Database
  • Misc
  • Languages
  • Processor Platforms
  • Theory
Web Development
  • Scripting
  • Blogs
  • Web Servers
  • Software
  • Search Engines
  • Web Graphics
  • Images
  • Internet Marketing
  • Images and Photos
  • Components
  • Document Imaging
  • Web Languages/Standards
  • Illustration
  • WebApplications
  • Fonts
  • WebTrends / Stats
  • Authoring
  • Digital Camera Software
  • Miscellaneous
Networking
  • Protocols
  • Apple Networking
  • Network Management
  • Message Queue
  • Application Servers
  • Content Management
  • File Servers
  • Email Servers
  • Misc
  • Java Editors & IDEs
  • Wireless
  • Networking Hardware
  • Backup / Restore
  • System Utilities
  • ISPs & Hosting
  • Web Servers
  • Storage Technology
  • Removable Backup Media
  • Servers
  • Broadband
  • Grid
  • OS / 2
  • Novell Netware
  • Unix Networking
  • Windows Networking
  • Security
  • Telecommunications
  • Operating Systems
  • Linux Networking
Other
  • Community Advisor
  • Lounge
  • Community Support
  • New Net Users
  • Philosophy / Religion
  • Math / Science
  • Miscellaneous
  • URLs
  • Expert Lounge
  • Politics
  • Puzzles / Riddles
Community Support
  • Suggestions
  • New to EE
  • New Topics
  • Community Advisor
  • CleanUp
  • Announcements
  • General
  • Feedback
  • Input
  • EE Bugs
 
04.13.2007 at 06:39PM PDT, ID: 18909415

Rank: Sage

batry_boy:
Have you tried explicitly setting the ipsec sa lifetime timer?  Like this:

crypto ipsec security-association lifetime seconds 86400
Accepted Solution
 
04.14.2007 at 11:54AM PDT, ID: 18911563

Rank: Genius

lrmoore:
Try removing the Keepalive statement from the PIX
 no isakmp keepalive 120 25
Be sure to remove that ForceKeepAlives=1 from the .pcf file also

The default is no keepalive. I've never had a problem when using the default setting.
While you "can" edit the .pcf file, the manual edits don't necessarily make any difference because the client is designed to be given its behavior by the vpn endpoint - a VPN3000 concentrator. The fact that it works with PIX is a bonus, but the PIX can't push real client behavior to the client, so you get a very limited feature set. PIX 7.x gives you much more control over client behavior with profiles on the PIX.
 
04.23.2007 at 01:07PM PDT, ID: 18961153
jmdowling:
I've tried all the steps above and still seem to have this issue.  When I monitor the IPSec connection through PDM I have the following details:

Details for 0.0.0.0/0.0.0.0/0/0 192.168.99.1/255.255.255.255/0/0 at Mon Apr 23 12:58:40 MST 2007
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.99.1/255.255.255.255/0/0)
   current_peer: 67.90.66.14:500
   dynamic allocated peer ip: 192.168.99.1
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0
    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
    #pkts invalid prot (recv) 0, #pkts verify failed: 0
    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
    ##pkts replay failed (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (recv) 0
     local crypto endpt.: 66.45.1.84, remote crypto endpt.: 67.90.66.14
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: fc5d5406
     inbound esp sas:
      spi: 0xc5df42c1(3319743169)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 4, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4608000/28780)
        IV size: 8 bytes
        replay detection support: Y
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xfc5d5406(4233974790)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 3, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4608000/28780)
        IV size: 8 bytes
        replay detection support: Y
     outbound ah sas:
     outbound pcp sas:

as I refresh the stats I see the sa timing: remaining key lifetime (k/sec): (4608000/28780) entry counting down but the connection drops before the sa lifetime runs out......

I don't see anything in the logs of my Cisco VPN Client, I see the following when monitoring the firewall
ISAKMP (0): sending NOTIFY message 36136 protocol 1
ISAKMP (0): sending NOTIFY message 36136 protocol 1
ISAKMP (0): sending NOTIFY message 36136 protocol 1
ISAKMP (0): sending NOTIFY message 36136 protocol 1
ISAKMP (0): DPD: peer not responding!
ISAKMP (0): deleting IPSEC SAs with peer at 67.90.66.14IPSEC(key_engine): got a
queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with     67.90.66.14

VPN Peer: IPSEC: Peer ip:67.90.66.14/500 Decrementing Ref cnt to:2 Total VPN Pee
rs:1
VPN Peer: IPSEC: Peer ip:67.90.66.14/500 Decrementing Ref cnt to:1 Total VPN Pee
rs:1
ISAKMP (0): deleting SA: src 67.90.66.14, dst 66.45.1.84
ISADB: reaper checking SA 0x137cf34, conn_id = 0  DELETE IT!

VPN Peer: ISAKMP: Peer ip:67.90.66.14/500 Ref cnt decremented to:0 Total VPN Pee
rs:1
VPN Peer: ISAKMP: Deleted peer: ip:67.90.66.14/500 Total VPN peers:0IPSEC(key_en
gine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with     67.90.66.14

the lifetime on my tunnel showed as sa timing: remaining key lifetime (k/sec): (4608000/28465) just before it dropped.  I'm just not quite sure what I'm missing here, any help would be greatly appreciated!

thanks in advance,

Jude
 
 
20080236-EE-VQP-29