Converting from PPTP to IPsec on PIX to PIX causes timeouts and slow repsonse

Posted on 2005-04-28
Last Modified: 2010-08-05
Ever since we converted to IPsec for our remote sites from PPTP, we experience timeouts where the user needs to relaunch application and sign back in. Where would I check to see the cause of these timeouts? Also, remote users are complaining about very slow responses at times from one remote site, yet the T1 looks good and only at 50% utilzed.. This slowness started after converting to IPsec from PPTP. The slowness is while they are telnet to an application at the main site. Is there a way to check the TCP window size, if that might help isolate the problem? or what else should I look at for this 1 remote site

The devices are PIX 501 and 506 (main site). The health / capacity of the PIX 506 is in question, what should I look for there that may indicate its reaching capacity, dropping packets, overworked ??  
Question by:murphymail
    LVL 6

    Expert Comment

    Document from Cisco:
    sh cpu usage and sh int are the main things I use.
    Does pix only handle traffic through T1 VPN tunnel or there is something else also goint through PIX? Since your T1 is only 50% usage, not likely traffic level is the concern.
    You mentioned Telnet, possible revers DNS records problem?

    Author Comment

    Elaborate on the reverse DNS issue. Theses remote sites thru their VPN telnet to an application located at another remote site off the main site. If reverse DNS is problem, won't they never connect?
    LVL 36

    Accepted Solution

    Check that the isakmp lifetime it set the same on both ends. If they are different the VPN may go down and there will be a delay while it is re-established.

    Author Comment

    I read that before a SA expires, it renegociates a new one so that there is no dissruption of data flow. So I don't think its the SA lifetime thats causing the timeout. Although these 2 commands do show lifetime (are they referring to the same value?)

    show crypto ipsec security-association lifetime
    show crypto isakmp policy

    If this is the case where do you set the idle-time for an IPsec tunnel to disconnect?

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Suggested Solutions

    I've had to do a bit of research to setup my VPN connection so that Clients can access Windows Server 2008 network shares.  I have a Cisco ASA 5510 firewall.  I found an article which was extremely useful: It had a solution if you use ASDM to config…
    I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now