• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 283
  • Last Modified:

Converting from PPTP to IPsec on PIX to PIX causes timeouts and slow repsonse

Ever since we converted to IPsec for our remote sites from PPTP, we experience timeouts where the user needs to relaunch application and sign back in. Where would I check to see the cause of these timeouts? Also, remote users are complaining about very slow responses at times from one remote site, yet the T1 looks good and only at 50% utilzed.. This slowness started after converting to IPsec from PPTP. The slowness is while they are telnet to an application at the main site. Is there a way to check the TCP window size, if that might help isolate the problem? or what else should I look at for this 1 remote site

The devices are PIX 501 and 506 (main site). The health / capacity of the PIX 506 is in question, what should I look for there that may indicate its reaching capacity, dropping packets, overworked ??  
  • 2
1 Solution
Document from Cisco:
sh cpu usage and sh int are the main things I use.
Does pix only handle traffic through T1 VPN tunnel or there is something else also goint through PIX? Since your T1 is only 50% usage, not likely traffic level is the concern.
You mentioned Telnet, possible revers DNS records problem?
murphymailAuthor Commented:
Elaborate on the reverse DNS issue. Theses remote sites thru their VPN telnet to an application located at another remote site off the main site. If reverse DNS is problem, won't they never connect?
Check that the isakmp lifetime it set the same on both ends. If they are different the VPN may go down and there will be a delay while it is re-established.
murphymailAuthor Commented:
I read that before a SA expires, it renegociates a new one so that there is no dissruption of data flow. So I don't think its the SA lifetime thats causing the timeout. Although these 2 commands do show lifetime (are they referring to the same value?)

show crypto ipsec security-association lifetime
show crypto isakmp policy

If this is the case where do you set the idle-time for an IPsec tunnel to disconnect?

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now