?
Solved

Cisco VPN Client Connecting to Cisco Pix 515 Gets Disconected after a short time. Remote Peer No Longer Responding

Posted on 2004-11-30
20
Medium Priority
?
4,833 Views
Last Modified: 2008-01-09
We have a Cisco 515 at one of our clients and they are using cisco VPN Client software at all of the remote locations to have people come in with a local address so they can use a terminal emulator which connects with one of two linux servers.  The VPN connection at one client will not stay connected.  It connects and you can sometimes..  ping the pix 515 and other servers at the main office but as soon as you initialize the termial emulator and connect to the linux server the computer sits for maybe 5 minutes until it times out and the VPN drops out.  Many times even after connecting you cannot even ping the linux servers or the pix.  Any Ideas?
0
Comment
Question by:NickGT20
  • 9
  • 7
  • 3
  • +1
20 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 12706039
Hi NickGT20,
What software version are you running on the PIX?
What version VPN client are you using?
What do the remote locations use as their firewall/router?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12706836
Sounds like this one client may be behind another nat router. Have you enabled isakmp nat-transparency on the 515?
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12714827
Could also be an MTU issue:

http://www.dslreports.com/faq/695
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 2

Author Comment

by:NickGT20
ID: 12763632
The Client is 4.0.2D and it's a 515E.  Sorry it took so long to get back to you guys.  Remote locations are all diffrent unfortunatly b/c they are not our clients.  Technically we offer support for the one company with the pix 515 and support to the vpn users.  I do about 30 companies..  Anyway today it's something diffrent when I setup a persistant ping to the local 192.168.174.1 address of the pix when they are connected on the VPN and a persistant outside ping of the address I am getting a reply from a diffrent IP than the one I am pinging and a TTL expired in transit error.
0
 
LVL 2

Author Comment

by:NickGT20
ID: 12763666
6.3(1) version the pix 515 is running
0
 
LVL 36

Expert Comment

by:grblades
ID: 12763684
Client 4.0.2D is fairly old now. I would try version 4.6 as it fixes some issues with XP SP2 anyway.
What software version are you running on the PIX?
I suggest you run at least 6.3(3)124 as it fixes a security problem.
0
 
LVL 2

Author Comment

by:NickGT20
ID: 12763729
It's now been about 10 minutes and the VPN session dropped out with a "Secure VPN Connection terminated locally by the Client.  Reason: The Remote Peer is no longer responding.
0
 
LVL 2

Author Comment

by:NickGT20
ID: 12763817
How easy is it to upgrade the Pix?  I'm still getting used to the pixes I have only been dealing with this client for a month and a half but I have a 501 at home now that my boss bought me to learn on and I have been reading some things.
0
 
LVL 36

Expert Comment

by:grblades
ID: 12763898
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12764716
Are you saying that if you connect the VPN client, it stays up forever, but if you initiate a term emulator package the VPN connection drops ?
0
 
LVL 2

Author Comment

by:NickGT20
ID: 12766942
That seems to be the case.  But I think it's when a certain number of packets go out over the VPN to tell you the truth.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12771869
There are two IPSEC expiry parameters - one is based on time, the other based on bytes.
The problem you describe hints at either ISAKMP or IPSEC keys expiring after a certain amount of bytes have been sent.  
The industry standard is to set key expiry based around seconds, rather than bytes...
Can we see the PIX 515 config to verify this ?
0
 
LVL 2

Author Comment

by:NickGT20
ID: 12773685
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xrDZXViOycrHvx0L encrypted
passwd xrDZXViOycrHvx0L encrypted
hostname MBMS44
domain-name MBMS.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
no names
name 192.168.172.0 mbms25
name 192.168.173.0 mbms12
name 192.168.174.0 mbms44
name 192.168.171.0 north
name 192.168.179.0 lewistown
name 192.168.175.0 hunt
name 192.168.178.0 state
name 192.168.176.0 somerset
name 192.168.170.0 reading
name 10.1.1.0 india1
name 172.26.173.130 hahnemann
name 160.109.75.40 Hahnemann
name 172.26.173.0 hahnemann1
name 64.32.254.226 Greg
name 192.168.177.0 walnut
name 68.82.25.69 carlisle
access-list inbound permit icmp any any
access-list inbound permit tcp any host 141.158.23.82 eq ftp
access-list inbound permit tcp any host 141.158.23.82 eq pcanywhere-data
access-list inbound permit tcp any host 141.158.23.82 eq 5632
access-list inbound permit tcp any host 141.158.23.82 eq 8080
access-list inbound permit tcp any host 141.158.23.82 eq 1024
access-list inbound permit tcp any host 141.158.23.82 eq 1025
access-list inbound permit tcp any host 141.158.23.82 eq 1026
access-list inbound permit tcp any host 141.158.23.82 eq 1027
access-list inbound permit tcp any host 141.158.23.82 eq 1028
access-list inbound permit tcp any host 141.158.23.82 eq 1029
access-list inbound permit tcp any host 141.158.23.82 eq 1030
access-list inbound permit tcp any host 141.158.23.82 eq 1031
access-list inbound permit tcp any host 141.158.23.82 eq 1032
access-list inbound permit tcp any host 141.158.23.82 eq 1033
access-list inbound permit tcp any host 141.158.23.82 eq 1034
access-list inside_outbound_nat0_acl permit ip 192.168.174.0 255.255.255.0 192.168.173.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.174.0 255.255.255.0 192.168.171.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.174.0 255.255.255.0 192.168.172.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.174.0 255.255.255.0 192.168.175.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.174.0 255.255.255.0 192.168.178.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.174.0 255.255.255.0 192.168.176.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.174.0 255.255.255.0 192.168.170.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.174.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.174.0 255.255.255.0 172.26.173.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.26.173.0 255.255.255.0 192.168.174.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.174.0 255.255.255.0 host 68.82.25.69
access-list inside_outbound_nat0_acl permit ip 192.168.174.0 255.255.255.0 192.168.177.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.174.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.174.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list CathySells_splitTunnelAcl permit ip 192.168.174.0 255.255.255.0 any
access-list PaoliMRI_splitTunnelAcl permit ip 192.168.174.0 255.255.255.0 any
access-list 1201Peds_splitTunnelAcl permit ip 192.168.174.0 255.255.255.0 any
access-list CPCHealthways_splitTunnelAcl permit ip 192.168.174.0 255.255.255.0 any
access-list NPS_splitTunnelAcl permit ip 192.168.174.0 255.255.255.0 any
access-list CMSA_splitTunnelAcl permit ip 192.168.174.0 255.255.255.0 any
access-list IGSA_splitTunnelAcl permit ip 192.168.174.0 255.255.255.0 any
access-list CPCCallowhill_splitTunnelAcl permit ip 192.168.174.0 255.255.255.0 any
access-list mbms12 permit ip 192.168.174.0 255.255.255.0 192.168.173.0 255.255.255.0
access-list north permit ip 192.168.174.0 255.255.255.0 192.168.171.0 255.255.255.0
access-list hunt permit ip 192.168.174.0 255.255.255.0 192.168.175.0 255.255.255.0
access-list state permit ip 192.168.174.0 255.255.255.0 192.168.178.0 255.255.255.0
access-list somerset permit ip 192.168.174.0 255.255.255.0 192.168.176.0 255.255.255.0
access-list mbms25 permit ip 192.168.174.0 255.255.255.0 192.168.172.0 255.255.255.0
access-list reading permit ip 192.168.174.0 255.255.255.0 192.168.170.0 255.255.255.0
access-list TestGroup_splitTunnelAcl permit ip 192.168.174.0 255.255.255.0 any
access-list CCI_splitTunnelAcl permit ip 192.168.174.0 255.255.255.0 any
access-list goldberg_splitTunnelAcl permit ip 192.168.174.0 255.255.255.0 any
access-list NMI_splitTunnelAcl permit ip 192.168.174.0 255.255.255.0 any
access-list CPCPeds_splitTunnelAcl permit ip 192.168.174.0 255.255.255.0 any
access-list admin_splitTunnelAcl permit ip 192.168.174.0 255.255.255.0 any
access-list beverly_splitTunnelAcl permit ip 192.168.174.0 255.255.255.0 any
access-list berg_splitTunnelAcl permit ip 192.168.174.0 255.255.255.0 any
access-list AIPC_splitTunnelAcl permit ip 192.168.174.0 255.255.255.0 any
access-list Cumberland_splitTunnelAcl permit ip 192.168.174.0 255.255.255.0 any
access-list india1 permit ip 192.168.174.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list PLDPS_splitTunnelAcl permit ip 192.168.174.0 255.255.255.0 any
access-list outside_cryptomap_92 permit ip 172.26.173.0 255.255.255.0 192.168.174.0 255.255.255.0
access-list outside_cryptomap_92 permit ip 192.168.174.0 255.255.255.0 172.26.173.0 255.255.255.0
access-list NMI1_splitTunnelAcl permit ip 192.168.174.0 255.255.255.0 any
access-list hahnemann_splitTunnelAcl permit ip 192.168.174.0 255.255.255.0 any
access-list ALMAR_splitTunnelAcl permit ip 192.168.174.0 255.255.255.0 any
access-list outside_cryptomap_70 permit ip 192.168.174.0 255.255.255.0 192.168.177.0 255.255.255.0
access-list anne_splitTunnelAcl permit ip 192.168.174.0 255.255.255.0 any
access-list greg_splitTunnelAcl permit ip 192.168.174.0 255.255.255.0 any
access-list mlhs_splitTunnelAcl permit ip 192.168.174.0 255.255.255.0 any
access-list bdpc_splitTunnelAcl permit ip 192.168.174.0 255.255.255.0 any
access-list nick_splitTunnelAcl permit ip 192.168.174.0 255.255.255.0 any
access-list goldberg1_splitTunnelAcl permit ip 192.168.174.0 255.255.255.0 any
access-list NMI2_splitTunnelAcl permit ip 192.168.174.0 255.255.255.0 any
pager lines 24
logging on
logging console debugging
logging monitor debugging
logging buffered warnings
mtu outside 1500
mtu inside 1500
ip address outside 141.158.23.82 255.255.255.240
ip address inside 192.168.174.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.254.1-192.168.254.254
ip local pool ippool1 192.168.253.1-192.168.253.254
pdm location 68.82.171.84 255.255.255.255 inside
pdm location 68.82.171.84 255.255.255.255 outside
pdm location 192.168.173.0 255.255.255.0 inside
pdm location 192.168.174.0 255.255.255.0 outside
pdm location 192.168.173.0 255.255.255.0 outside
pdm location 192.168.172.0 255.255.255.0 outside
pdm location 192.168.171.0 255.255.255.0 outside
pdm location 192.168.175.0 255.255.255.0 outside
pdm location 192.168.176.0 255.255.255.0 outside
pdm location 192.168.177.0 255.255.255.0 outside
pdm location 192.168.178.0 255.255.255.0 outside
pdm location 192.168.179.0 255.255.255.0 outside
pdm location 64.32.254.226 255.255.255.255 outside
pdm location 192.168.170.0 255.255.255.0 inside
pdm location 192.168.170.0 255.255.255.0 outside
pdm location 10.1.1.0 255.255.255.0 outside
pdm location 160.109.75.40 255.255.255.255 outside
pdm location 172.26.173.130 255.255.255.255 outside
pdm location 172.26.173.0 255.255.255.0 outside
pdm location 172.26.173.0 255.255.255.0 inside
pdm location 141.158.23.82 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 192.168.177.0 255.255.255.255 outside
pdm location 146.145.151.163 255.255.255.255 outside
pdm location 192.168.174.201 255.255.255.255 outside
pdm location 192.168.174.112 255.255.255.255 inside
pdm location 68.82.25.69 255.255.255.255 outside
pdm location 192.168.174.21 255.255.255.255 inside
pdm location 171.68.225.212 255.255.255.255 outside
pdm location 200.9.49.66 255.255.255.255 outside
pdm location 192.168.1.0 255.255.255.0 outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface pcanywhere-data 192.168.174.21 pcanywhere-data netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5632 192.168.174.21 5632 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8080 192.168.174.21 8080 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp 192.168.174.21 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1024 192.168.174.21 1024 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1025 192.168.174.21 1025 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1026 192.168.174.21 1026 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1027 192.168.174.21 1027 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1028 192.168.174.21 1028 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1029 192.168.174.21 1029 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1030 192.168.174.21 1030 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1031 192.168.174.21 1031 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1032 192.168.174.21 1032 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1033 192.168.174.21 1033 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1034 192.168.174.21 1034 netmask 255.255.255.255 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 141.158.23.81 1
timeout xlate 3:00:00
timeout conn 24:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 68.82.171.84 255.255.255.255 outside
http 64.32.254.226 255.255.255.255 outside
http 146.145.151.163 255.255.255.255 outside
http 192.168.174.112 255.255.255.255 inside
http 192.168.174.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 99 set transform-set myset
crypto map inside_map 10 ipsec-isakmp
crypto map inside_map 10 match address reading
crypto map inside_map 10 set peer 151.197.144.218
crypto map inside_map 10 set transform-set ESP-DES-MD5
crypto map inside_map 20 ipsec-isakmp
crypto map inside_map 20 match address mbms12
crypto map inside_map 20 set peer 141.158.13.130
crypto map inside_map 20 set transform-set ESP-DES-MD5
crypto map inside_map 30 ipsec-isakmp
crypto map inside_map 30 match address north
crypto map inside_map 30 set peer 141.150.187.98
crypto map inside_map 30 set transform-set ESP-DES-MD5
crypto map inside_map 40 ipsec-isakmp
crypto map inside_map 40 match address hunt
crypto map inside_map 40 set peer 207.68.100.26
crypto map inside_map 40 set transform-set ESP-DES-MD5
crypto map inside_map 50 ipsec-isakmp
crypto map inside_map 50 match address state
crypto map inside_map 50 set peer 207.68.100.34
crypto map inside_map 50 set transform-set ESP-DES-MD5
crypto map inside_map 60 ipsec-isakmp
crypto map inside_map 60 match address somerset
crypto map inside_map 60 set peer 207.68.98.242
crypto map inside_map 60 set transform-set ESP-DES-MD5
crypto map inside_map 70 ipsec-isakmp
crypto map inside_map 70 match address outside_cryptomap_70
crypto map inside_map 70 set peer 68.82.25.69
crypto map inside_map 70 set transform-set ESP-DES-MD5
crypto map inside_map 90 ipsec-isakmp
crypto map inside_map 90 match address mbms25
crypto map inside_map 90 set peer 151.197.99.170
crypto map inside_map 90 set transform-set ESP-DES-MD5
crypto map inside_map 91 ipsec-isakmp
crypto map inside_map 91 match address india1
crypto map inside_map 91 set peer 203.199.203.7
crypto map inside_map 91 set transform-set ESP-DES-MD5
crypto map inside_map 92 ipsec-isakmp
crypto map inside_map 92 match address outside_cryptomap_92
crypto map inside_map 92 set peer 63.96.193.4
crypto map inside_map 92 set transform-set ESP-DES-MD5
crypto map inside_map 99 ipsec-isakmp dynamic dynmap
crypto map inside_map interface outside
isakmp enable outside
isakmp key ******** address 203.199.203.7 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 141.158.23.82 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 141.158.13.130 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 151.197.99.170 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 141.150.187.98 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 151.197.144.218 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 207.68.100.26 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 207.68.100.34 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 207.68.98.242 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 68.82.25.69 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 63.96.193.4 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup TestGroup address-pool ippool
vpngroup TestGroup dns-server 151.197.0.38
vpngroup TestGroup split-tunnel TestGroup_splitTunnelAcl
vpngroup TestGroup idle-time 1800
vpngroup TestGroup password ********
vpngroup admin address-pool ippool
vpngroup admin split-tunnel admin_splitTunnelAcl
vpngroup admin idle-time 3600
vpngroup admin password ********
vpngroup beverly address-pool ippool
vpngroup beverly split-tunnel beverly_splitTunnelAcl
vpngroup beverly idle-time 3600
vpngroup beverly password ********
vpngroup berg address-pool ippool
vpngroup berg split-tunnel berg_splitTunnelAcl
vpngroup berg idle-time 3600
vpngroup berg password ********
vpngroup IGSA address-pool ippool
vpngroup IGSA split-tunnel IGSA_splitTunnelAcl
vpngroup IGSA idle-time 3600
vpngroup IGSA password ********
vpngroup goldberg address-pool ippool
vpngroup goldberg split-tunnel goldberg_splitTunnelAcl
vpngroup goldberg idle-time 3600
vpngroup goldberg password ********
vpngroup CMSA address-pool ippool
vpngroup CMSA split-tunnel CMSA_splitTunnelAcl
vpngroup CMSA idle-time 3600
vpngroup CMSA password ********
vpngroup NPS address-pool ippool
vpngroup NPS split-tunnel NPS_splitTunnelAcl
vpngroup NPS idle-time 3600
vpngroup NPS password ********
vpngroup CPCHealthways address-pool ippool
vpngroup CPCHealthways split-tunnel CPCHealthways_splitTunnelAcl
vpngroup CPCHealthways idle-time 3600
vpngroup CPCHealthways password ********
vpngroup 1201Peds address-pool ippool
vpngroup 1201Peds split-tunnel 1201Peds_splitTunnelAcl
vpngroup 1201Peds idle-time 3600
vpngroup 1201Peds password ********
vpngroup CPCPeds address-pool ippool
vpngroup CPCPeds split-tunnel CPCPeds_splitTunnelAcl
vpngroup CPCPeds idle-time 84600
vpngroup CPCPeds password ********
vpngroup PaoliMRI address-pool ippool
vpngroup PaoliMRI split-tunnel PaoliMRI_splitTunnelAcl
vpngroup PaoliMRI idle-time 3600
vpngroup PaoliMRI password ********
vpngroup CPCCallowhill address-pool ippool
vpngroup CPCCallowhill split-tunnel CPCCallowhill_splitTunnelAcl
vpngroup CPCCallowhill idle-time 3600
vpngroup CPCCallowhill password ********
vpngroup CathySells address-pool ippool
vpngroup CathySells split-tunnel CathySells_splitTunnelAcl
vpngroup CathySells idle-time 3600
vpngroup CathySells password ********
vpngroup NMI address-pool ippool
vpngroup NMI split-tunnel NMI_splitTunnelAcl
vpngroup NMI idle-time 3600
vpngroup NMI password ********
vpngroup AIPC address-pool ippool
vpngroup AIPC split-tunnel AIPC_splitTunnelAcl
vpngroup AIPC idle-time 3600
vpngroup AIPC password ********
vpngroup CCI address-pool ippool
vpngroup CCI split-tunnel CCI_splitTunnelAcl
vpngroup CCI idle-time 1800
vpngroup CCI password ********
vpngroup Cumberland address-pool ippool
vpngroup Cumberland split-tunnel Cumberland_splitTunnelAcl
vpngroup Cumberland idle-time 1800
vpngroup Cumberland password ********
vpngroup PLDPS address-pool ippool
vpngroup PLDPS split-tunnel PLDPS_splitTunnelAcl
vpngroup PLDPS idle-time 1800
vpngroup PLDPS password ********
vpngroup NMI1 address-pool ippool
vpngroup NMI1 split-tunnel NMI1_splitTunnelAcl
vpngroup NMI1 idle-time 84600
vpngroup NMI1 password ********
vpngroup ALMAR address-pool ippool
vpngroup ALMAR split-tunnel ALMAR_splitTunnelAcl
vpngroup ALMAR idle-time 1800
vpngroup ALMAR password ********
vpngroup hahnemann address-pool ippool
vpngroup hahnemann idle-time 1800
vpngroup hahnemann password ********
vpngroup dpc address-pool ippool
vpngroup dpc idle-time 1800
vpngroup dpc password ********
vpngroup greg address-pool ippool
vpngroup greg split-tunnel greg_splitTunnelAcl
vpngroup greg idle-time 1800
vpngroup greg password ********
vpngroup mlhs address-pool ippool
vpngroup mlhs split-tunnel mlhs_splitTunnelAcl
vpngroup mlhs idle-time 1800
vpngroup mlhs password ********
vpngroup anne address-pool ippool
vpngroup anne split-tunnel anne_splitTunnelAcl
vpngroup anne idle-time 1800
vpngroup anne password ********
vpngroup bdpc address-pool ippool
vpngroup bdpc split-tunnel bdpc_splitTunnelAcl
vpngroup bdpc idle-time 1800
vpngroup bdpc password ********
vpngroup goldberg1 address-pool ippool
vpngroup goldberg1 split-tunnel goldberg1_splitTunnelAcl
vpngroup goldberg1 idle-time 3600
vpngroup goldberg1 password ********
vpngroup nick address-pool ippool
vpngroup nick split-tunnel nick_splitTunnelAcl
vpngroup nick idle-time 1800
vpngroup nick password ********
vpngroup NMI2 address-pool ippool
vpngroup NMI2 split-tunnel NMI2_splitTunnelAcl
vpngroup NMI2 idle-time 3600
vpngroup NMI2 password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 171.68.225.212 255.255.255.255 outside
ssh 200.9.49.66 255.255.255.255 outside
ssh timeout 60
management-access inside
console timeout 0
dhcpd address 192.168.174.102-192.168.174.220 inside
dhcpd dns 192.168.173.80 151.197.0.38
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:ec698d22d21450eea8012c2af116b7fe
: end
[OK]

0
 
LVL 2

Author Comment

by:NickGT20
ID: 12773690
small config for you :-)
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 2000 total points
ID: 12776118
Firstly, the enable password hashes are reversible - please change these ASAP as they're now on a public forum!

3DES / SHA would also be a more secure choice.

Also, move to the latest version of PIX - 6.3(3) it's far more stable.

What I said about the seconds and bytes is not the case with your config - you have expiry of 86400 seconds set, so the bytes default will not be invoked.

Apart from this, the config looks fine.  I would look toward the client end to solve this - it could possibly be whatever this particular client is sat behind that is causing the problems.

The MTU issue I mentioned before is quite a likely culprit - please follow these instructions on the client PC.

http://www.dslreports.com/faq/695

If the client can try via a dial-up connection instead of a DSL connection, this will help eliminate client or ISP issues, and will hopefully point the finger at a dodgy DSL router config...

Is the client network wireless ? Could it be that the wireless connection is dropping and taking the VPN connection down with it ?




0
 
LVL 2

Author Comment

by:NickGT20
ID: 12776188
They are not wireless.  The enable password was already changed that is an older config.  Same settings but the passwords have been changed.  What do you make of the TTL expiring in transit with a diffrent return address though?  I'm going to check the MTU right now but it's strange that the TTL would expire if the expirary is set so high and the IP is still on the same class B network as the pix and the client both T-1 users not far from each other physically.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12777608
TTL expiring in transit with different return address suggest asymmetric routing - ie traffic coming back a different way from which it was sent....
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12777640
..or even a routing loop along the way.
Something fishy going on, probably at the ISP level....
Can the client PING the PIX without the VPN client connected ?  A TRACEROUTE would also be useful.
A TTL expiring means that too many routers have been crossed - for example, if you set the TTL for a packet to 10, and it has to pass through 11 routers to get to it's destination, then the TTL will expire.
0
 
LVL 2

Author Comment

by:NickGT20
ID: 12787235
changing the groups mtu on the pix solved the problem I also put in a very large maximum timeout for the group even though I know it's not usually a setting that is used.  Thank you Tim and everybody else who helped.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12791743
Out of interest, what configuration changes did you make ?  Could you post up the lines you changed for future reference ?

Cheers,

Tim
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question