Converting from PPTP to IPsec on PIX to PIX causes timeouts and slow repsonse

Ever since we converted to IPsec for our remote sites from PPTP, we experience timeouts where the user needs to relaunch application and sign back in. Where would I check to see the cause of these timeouts? Also, remote users are complaining about very slow responses at times from one remote site, yet the T1 looks good and only at 50% utilzed.. This slowness started after converting to IPsec from PPTP. The slowness is while they are telnet to an application at the main site. Is there a way to check the TCP window size, if that might help isolate the problem? or what else should I look at for this 1 remote site

The devices are PIX 501 and 506 (main site). The health / capacity of the PIX 506 is in question, what should I look for there that may indicate its reaching capacity, dropping packets, overworked ??  
murphymailAsked:
Who is Participating?
 
grbladesConnect With a Mentor Commented:
Check that the isakmp lifetime it set the same on both ends. If they are different the VPN may go down and there will be a delay while it is re-established.
0
 
magicommincCommented:
Document from Cisco:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml
sh cpu usage and sh int are the main things I use.
Does pix only handle traffic through T1 VPN tunnel or there is something else also goint through PIX? Since your T1 is only 50% usage, not likely traffic level is the concern.
You mentioned Telnet, possible revers DNS records problem?
0
 
murphymailAuthor Commented:
Elaborate on the reverse DNS issue. Theses remote sites thru their VPN telnet to an application located at another remote site off the main site. If reverse DNS is problem, won't they never connect?
0
 
murphymailAuthor Commented:
I read that before a SA expires, it renegociates a new one so that there is no dissruption of data flow. So I don't think its the SA lifetime thats causing the timeout. Although these 2 commands do show lifetime (are they referring to the same value?)

show crypto ipsec security-association lifetime
show crypto isakmp policy

If this is the case where do you set the idle-time for an IPsec tunnel to disconnect?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.