Solved

IPSec tunnel goes down intermittently: PIX 515E to 3Com 858

Posted on 2006-11-27
33
1,633 Views
Last Modified: 2013-11-16
Home office has a PIX 515E with 2 branch offices using a 3Com Officeconnect 3CR858.  The connection will get dropped randomly.  It is not due to having two seperate branch routers as i have shut one down competely and the other still was having the issue with the tunnel dropping.

Here is the config from the PIX 515E:
Compromisable data has been replaced with the following descriptors:
MAINIP.0.0
Branch1
Branch2
BRANCH1ExternalIP
BRANCH2ExternalIP
PreSharedKey

sh run

access-list nonat permit ip MainIP.0.0 255.255.0.0 BRANCH2 255.255.255.0
access-list nonat permit ip MainIP.0.0 255.255.0.0 BRANCH1 255.255.255.0
access-list outside_cryptomap_20 permit ip MainIP.0.0 255.255.0.0 BRANCH2 255.255.255.0
access-list outside_cryptomap_30 permit ip MainIP.0.0 255.255.0.0 BRANCH1 255.255.255.0

floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set AES-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800 kilobytes 46080
00
crypto dynamic-map DYNA 10 set transform-set AES-MD5
crypto map TP_Map 20 ipsec-isakmp
crypto map TP_Map 20 match address outside_cryptomap_20
crypto map TP_Map 20 set pfs group2
crypto map TP_Map 20 set peer BRANCH2ExternalIP
crypto map TP_Map 20 set transform-set ESP-3DES-MD5
crypto map TP_Map 30 ipsec-isakmp
crypto map TP_Map 30 match address outside_cryptomap_30
crypto map TP_Map 30 set pfs group2
crypto map TP_Map 30 set peer BRANCH1ExternalIP
crypto map TP_Map 30 set transform-set ESP-3DES-MD5
crypto map TP_Map PreSharedKey ipsec-isakmp dynamic DYNA
crypto map TP_Map client authentication Radius-Server
crypto map TP_Map interface outside
isakmp enable outside
isakmp key ******** address BRANCH1ExternalIP netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address BRANCH2ExternalIP netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp client configuration address-pool local vpnpool1 outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400

: end



The branch office 3com routers have the following settings (which match the 515E exactly):

Remote Secure Group:
IP: MainOffice.0.0
SM: 255.255.0.0

Local Secure Group
IP: X.X.X.0
SM: 255.255.255.0

Phase 1IKE:
Oakley-Pre-3DES-MD5-1024

Phase 2IKE:
MD5
3DES
Key Lifetime: 86400
PFS enabled
DH Group 2
IKE Keep Alive enabled


0
Comment
Question by:swgregg
  • 14
  • 9
  • 7
  • +1
33 Comments
 
LVL 12

Expert Comment

by:Freya28
Comment Utility
your timeouts seems to be ok.  if it is intermittent, then i would check with your ISP's.  what type of internet connections do you have?
0
 
LVL 9

Expert Comment

by:rshooper76
Comment Utility
Make sure your ISP is not shutting sown your circuit when it is not active.  Also, check with 3Com and see if they have any know issues with thier devices dropping the circuit or tunnel.  I've used all Cisco devices on my tunnels and only had problem when ISP would mess with stuff.
0
 

Author Comment

by:swgregg
Comment Utility
@Freya28


The Branch Offices are running on 1.5-3.0 mbps DSL lines.  Two different ISPs.  The main office has a bonded T.
0
 

Author Comment

by:swgregg
Comment Utility
The reliability of this tunnel is imperative as we are using it to push out VOIP phones to the branch offices.
0
 
LVL 12

Expert Comment

by:Freya28
Comment Utility
it could be the lines.  run a constant ping form one network to another for a day or 2 and see if you still get drops.  that would rule out any timeoute issues and might point you to the isp's being the issue.  or it could be the bonded T config
0
 

Author Comment

by:swgregg
Comment Utility
@Freya28

I have run pings to the default gateway and the static IP addresses of the branch offices.  I get request timed out every so often but it does not correlate w/ the tunnel going down.

How delicate/fragile are these tunnels.  How long of a timeout will cause them to drop?

@rshooper76

Do ISPs do that? Shutdown circuits when they are inactive??
0
 
LVL 9

Expert Comment

by:rshooper76
Comment Utility
DSL is not usually considered mission critical and cannot be relied upon for that purpose.  That being said, i've used DSL at branch locations and have not had too many problems, but remember the ISP usually does not consider it mission critial.  If you can deal with the potential reliabiliy problems of DSL than use, otherwise reconsider.  If you need to run mission crital apps you need a T1 or soimething else that the ISP will consider mission critical.

You might also be able to make a change in the setting or your DSL modem to keep the connection alive.
0
 
LVL 9

Expert Comment

by:rshooper76
Comment Utility
I have seem DSL circuits have problems, and yes some ISP's do cut your ciricut off until they see traffic again.  That is not common anymore, what is more common is the connection just dying out on you.  Talk to the ISP's and see what they say.
0
 
LVL 4

Expert Comment

by:pakitloss
Comment Utility
I have many times seen ISP's sell circuits that are too far from the CO and this causes too much noise on the line. If this is business class DSL then you may have an SLA with your ISP. Go to this link to check speed and line condition. http://speedtest.umflint.edu You also say that the other side has a bonded line. Make sure they do not have any problems with one of them that may be causing drops or retransmits but I doubt it is on the other side. So do you have any problem with the line with the VPNs down. Could be something as simple as a bad cable, duplex mis-match etc.... Like most people has already said you need to first verify the reliability of the Home line as you have seeming ruled out the branch offices by dropping each tunnel. Does the line go down when you download a big file with both tunnels down? Rule out the wire first and then start up the stack.
0
 

Author Comment

by:swgregg
Comment Utility
I had one of the ISPs check the line.  They verified its integrity over the past 8 hours, in which i've had the tunnel go down a few times.  I also had him perform a "Rip & Rebuild" which basically flushes the circuits configuration out of their "system" and puts it back in.

While he was doing this, the line went down for about 10 seconds, then came back up and the tunnel reconnected instantaniously.  So even when the line is forced down and comes back up, the tunnel can stay.

This edges me away from an issue w/ the line or the ISP.

If the line is not what is causing the errors, that cuts it down to hardware and configuration.  The routers are new and the PIX 515E is about 8 months old.  I haven't found anything in the 3com knowledge base with the OS of the router having trouble maintaining a tunnel.

Is there a way to configure the tunnel so that it is more resillient i.e. different timeouts/less strict encryption?
0
 
LVL 12

Accepted Solution

by:
Freya28 earned 250 total points
Comment Utility
the only thing that i can see is that where you have

crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800 kilobytes 46080
00

change all of these values to 86400
0
 
LVL 12

Expert Comment

by:Freya28
Comment Utility
 the 3600 is defintley too low
0
 

Author Comment

by:swgregg
Comment Utility
@Freya28

Good catch, i didn't see that in the config.  I can't seem to find that in the gui so i have updated the setting through console to 86400.  Since i've changed it (4 hours ago), we have not had an outage on either tunnel.  

I will sit on this as long as it does not go down in the next 48 hours. If we're good by then, Freya, you'll get the 500.
0
 
LVL 12

Expert Comment

by:Freya28
Comment Utility
thanks.  glad to be of help
0
 

Author Comment

by:swgregg
Comment Utility
Both sites went down about 1 minute apart and stayed down.  Here is the log from the 3com, same on each router:  

Sequentially, the log starts at the bottom and logs up.  So SOMETHING WRONG! is the last entry.


2006.11.28 18:05:17 [IKE] Something wrong!!!
2006.11.28 18:05:17 [IKE]                 : 86400
2006.11.28 18:05:17 [IKE]             OAKLEY_LIFE_SECONDS
2006.11.28 18:05:17 [IKE]             OAKLEY_PRESHARED_KEY
2006.11.28 18:05:17 [IKE]             OAKLEY_GROUP_MODP1024
2006.11.28 18:05:17 [IKE]             OAKLEY_MD5
2006.11.28 18:05:17 [IKE]             OAKLEY_3DES_CBC
2006.11.28 18:05:17 [IKE]         ->KEY_IKE(trans #2)
2006.11.28 18:05:17 [IKE]             OAKLEY_AES_CBC
2006.11.28 18:05:17 [IKE]         ->KEY_IKE(trans #1)
2006.11.28 18:05:17 [IKE]       => parse PROTO_ISAKMP(proposal #1) payload
2006.11.28 18:05:17 [IKE MM] Main mode, we are responder.
2006.11.28 18:05:17 [IKE]   + Check in packet and/or construct out packet!
2006.11.28 18:05:17 [IKE]     PAYLOAD_VID
2006.11.28 18:05:17 [IKE]     PAYLOAD_VID
2006.11.28 18:05:17 [IKE]     PAYLOAD_SA
2006.11.28 18:05:17 [IKE]   + Payloads in XCHG_TYPE_ID_PROTECT:
2006.11.28 18:05:17 [IKE]   - exchange type: ID Protection(main mode)
2006.11.28 18:05:17 [IKE] - Received 164 bytes from MainOfficeIPExternal:500.
0
 
LVL 12

Expert Comment

by:Freya28
Comment Utility
either run a debug on the pix side

debug crypto ipsec
debug crypto iskamp

you could also generate syslogs and get a more difinitive point of failure

i use all cisco equipment.  I never like the 3coms, especially for vpn's.  Look ont he 3coms side to for the isakmp and ipsec settings, and all timeouts
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:swgregg
Comment Utility
Here is the DEBUG reports from the Main office PIX 515 that occur when CONNECTING both tunnels one after another.

OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 730150823

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      group is 2
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= MainOfficeExternalIP, src= Branch1ExternalIP,
    dest_proxy= MainOfficInternalIP.0.0/255.255.0.0/0/0 (type=4),
    src_proxy= TALLAHASSEE/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24

ISAKMP (0): processing NONCE payload. message ID = 730150823

ISAKMP (0): processing KE payload. message ID = 730150823

ISAKMP (0): processing ID payload. message ID = 730150823
ISAKMP (0): ID_IPV4_ADDR_SUBNET src TALLAHASSEE/255.255.255.0 prot 0 port 0
ISAKMP (0): processing ID payload. message ID = 730150823
ISAKMP (0): ID_IPV4_ADDR_SUBNET dst MainOfficInternalIP.0.0/255.255.0.0 prot 0 port 0IPSEC(key_engine): got a queue e
vent...
IPSEC(spi_response): getting spi 0xeba1ed35(3953257781) for SA
        from   Branch1ExternalIP to   MainOfficeExternalIP for prot 3

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:Branch1ExternalIP, dest:MainOfficeExternalIP spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_AUTH_AWAIT
ISAKMP (0): Creating IPSec SAs
        inbound SA from   Branch1ExternalIP to   MainOfficeExternalIP (proxy     TALLAHASSEE to         MainOfficInternalIP.0.0)
        has spi 3953257781 and conn_id 8 and flags 25
        lifetime of 86400 seconds
        outbound SA from   MainOfficeExternalIP to   Branch1ExternalIP (proxy         MainOfficInternalIP.0.0 to     TALLAHASSEE
)
        has spi 3962806565 and conn_id 7 and flags 25
        lifetime of 86400 secondsIPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
  (key eng. msg.) dest= MainOfficeExternalIP, src= Branch1ExternalIP,
    dest_proxy= MainOfficInternalIP.0.0/255.255.0.0/0/0 (type=4),
    src_proxy= TALLAHASSEE/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 86400s and 0kb,
    spi= 0xeba1ed35(3953257781), conn_id= 8, keysize= 0, flags= 0x25
IPSEC(initialize_sas): ,
  (key eng. msg.) src= MainOfficeExternalIP, dest= Branch1ExternalIP,
    src_proxy= MainOfficInternalIP.0.0/255.255.0.0/0/0 (type=4),
    dest_proxy= TALLAHASSEE/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 86400s and 0kb,
    spi= 0xec33a125(3962806565), conn_id= 7, keysize= 0, flags= 0x25

VPN Peer: IPSEC: Peer ip:Branch1ExternalIP/500 Ref cnt incremented to:2 Total VPN Peers:1
VPN Peer: IPSEC: Peer ip:Branch1ExternalIP/500 Ref cnt incremented to:3 Total VPN Peers:1
return status is IKMP_NO_ERROR
ISAKMP (0): retransmitting phase 1 (4)...IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= MainOfficeExternalIP, remote= Branch2ExternalIP,
    local_proxy= MainOfficInternalIP.0.0/255.255.0.0/0/0 (type=4),
    remote_proxy= El_Segundo/255.255.255.0/0/0 (type=4)

ISAKMP (0): deleting SA: src MainOfficeExternalIP, dst Branch2ExternalIP
ISADB: reaper checking SA 0x3cb4714, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for Branch2ExternalIP/500 not found - peers:1

ISADB: reaper checking SA 0x3c0e4a4, conn_id = 0
crypto_isakmp_process_block:src:Branch2ExternalIP, dest:MainOfficeExternalIP spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 28800
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      auth pre-share
ISAKMP:      default group 2
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 28800
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      auth pre-share
ISAKMP:      default group 2
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:Branch2ExternalIP, dest:MainOfficeExternalIP spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:Branch2ExternalIP, dest:MainOfficeExternalIP spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP: Created a peer struct for Branch2ExternalIP, peer port 62465
ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 500
        length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:Branch2ExternalIP/500 Total VPN Peers:2
VPN Peer: ISAKMP: Peer ip:Branch2ExternalIP/500 Ref cnt incremented to:1 Total VPN Peers:2
crypto_isakmp_process_block:src:Branch2ExternalIP, dest:MainOfficeExternalIP spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 1753423684

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      group is 2
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= MainOfficeExternalIP, src= Branch2ExternalIP,
    dest_proxy= MainOfficInternalIP.0.0/255.255.0.0/0/0 (type=4),
    src_proxy= El_Segundo/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24

ISAKMP (0): processing NONCE payload. message ID = 1753423684

ISAKMP (0): processing KE payload. message ID = 1753423684

ISAKMP (0): processing ID payload. message ID = 1753423684
ISAKMP (0): ID_IPV4_ADDR_SUBNET src El_Segundo/255.255.255.0 prot 0 port 0
ISAKMP (0): processing ID payload. message ID = 1753423684
ISAKMP (0): ID_IPV4_ADDR_SUBNET dst MainOfficInternalIP.0.0/255.255.0.0 prot 0 port 0IPSEC(key_engine): got a queue e
vent...
IPSEC(spi_response): getting spi 0xcbec76b8(3421271736) for SA
        from   Branch2ExternalIP to   MainOfficeExternalIP for prot 3

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:Branch2ExternalIP, dest:MainOfficeExternalIP spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_AUTH_AWAIT
ISAKMP (0): Creating IPSec SAs
        inbound SA from   Branch2ExternalIP to   MainOfficeExternalIP (proxy      El_Segundo to         MainOfficInternalIP.0.0)
        has spi 3421271736 and conn_id 6 and flags 25
        lifetime of 86400 seconds
        outbound SA from   MainOfficeExternalIP to   Branch2ExternalIP (proxy         MainOfficInternalIP.0.0 to      El_Segundo
)
        has spi 26935612 and conn_id 5 and flags 25
        lifetime of 86400 secondsIPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
  (key eng. msg.) dest= MainOfficeExternalIP, src= Branch2ExternalIP,
    dest_proxy= MainOfficInternalIP.0.0/255.255.0.0/0/0 (type=4),
    src_proxy= El_Segundo/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 86400s and 0kb,
    spi= 0xcbec76b8(3421271736), conn_id= 6, keysize= 0, flags= 0x25
IPSEC(initialize_sas): ,
  (key eng. msg.) src= MainOfficeExternalIP, dest= Branch2ExternalIP,
    src_proxy= MainOfficInternalIP.0.0/255.255.0.0/0/0 (type=4),
    dest_proxy= El_Segundo/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 86400s and 0kb,
    spi= 0x19b013c(26935612), conn_id= 5, keysize= 0, flags= 0x25

VPN Peer: IPSEC: Peer ip:Branch2ExternalIP/500 Ref cnt incremented to:2 Total VPN Peers:2
VPN Peer: IPSEC: Peer ip:Branch2ExternalIP/500 Ref cnt incremented to:3 Total VPN Peers:2
return status is IKMP_NO_ERROR
0
 
LVL 12

Expert Comment

by:Freya28
Comment Utility
SAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 28800
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      auth pre-share
ISAKMP:      default group 2
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload


this is still telling me that a time out is still set to 28800
0
 

Author Comment

by:swgregg
Comment Utility
yeah, i had to recreate the policys using the gui and it set the timeout to the default.  I have updated it.

is there anything else in there that looks weird?
0
 
LVL 4

Expert Comment

by:pakitloss
Comment Utility
swgreqq

On the Pix from conf t mode type

clear crypto isakmp sa
clear crypto ipsec sa

The will clear the association Then look at the debug.
0
 
LVL 4

Expert Comment

by:pakitloss
Comment Utility
btw, type an extended ping to bring the tunnels up. The debugs will start right away.
0
 

Author Comment

by:swgregg
Comment Utility
Currently, the tunnels will stay up for about 8-10 hours. I have looked through a few forums regarding the 3com router that i am using, aparently it uses a software encryption rather then a hardware encrytion for its tunnels (our PIX 515 uses hw).

I am looking into getting a Cisco 851 router to get away from the Cisco->3com compatibility issues as well as the software->hardware encryption difference.

Anyone familiar w/ the 851?
0
 

Author Comment

by:swgregg
Comment Utility
To be more specific every day, the tunnel will go do on both branches @ about 4:20-4:45pm and @ about 12:40-1:00am
0
 
LVL 4

Expert Comment

by:pakitloss
Comment Utility
swgregg,

Do you trend bandwidth at these sites? These times are a flag to me. Around lunch time and close to quitting time. Those are typically my highest times of traffic. If this is the case then saturating the lines could do it. Does your VOIP use QoS at all? This would preference VIOP traffic over all else depending on config. You also mention that these are DSL lines. Are the DSL or ADSL? If ADSL then upload bandwidth on them would be less then a meg. Probably @ 1/3 of download. This could cause the issues you are experiencing.
0
 

Author Comment

by:swgregg
Comment Utility
by 12:40-1am i mean 12:40 in the morning to 1 in the morning.  No heavy traffic whatsoever.

However, what this shows is that there is an 8 hour difference from when i start the tunnel to when it goes down.

8:30am ish, come into office and start tunnel, then 8 hours later @ 4:30-4:45 ish, it goes down = 8 hours up

4:45pm ish, i start the tunnel back up and it goes back down, 8 hours later @ 12:45am ish = 8 hours up


All of my timeouts are set to 24 hours (86400 seconds) however, is it possible that this router can't handle that long of an SA?  Also, when the SA expires, is it supposed to re-establish the tunnel after the timeout or does it always require manual tunnel starting?

When the tunnels go down, the 3Com routers show a "In Negotiating" status, as if they are waiting for the PIX to authenticate, so would it benefit me to have a lower timeout on the PIX than the 3com routers?  
0
 
LVL 12

Expert Comment

by:Freya28
Comment Utility
8 hours equates to 28800 seconds, being that time limits are set as seconds, do you have ANY limits set to 28800
0
 

Author Comment

by:swgregg
Comment Utility
Nope, nothing is set to 28800, everything is set to 86400.  My other question remains, does a IPSec VPN require that the tunnel be manually connected at the end of every timeout?  Even if it did last 24 hours, would i have to log in every day and manually connect the tunnels?  Is this normal for IPSec VPNs?
0
 
LVL 12

Expert Comment

by:Freya28
Comment Utility
no not at all.  even if it timesout. the tunnel is not disconnected at least for a static to static tunnel.  but if a timeout ocurrs, the next ping or traffic or any type of generated traffic for that matter will make the tunnel active again.
0
 
LVL 4

Assisted Solution

by:pakitloss
pakitloss earned 250 total points
Comment Utility
swgregg,

The tunnel should stay connected at all times. What you are experiencing is obviously not normal. I have a tunnel to New York that never goes down. The only time I have trouble with it is when there are bad line conditions. If there is interesting traffic to the PIX the tunnel should come up and an asc. created right away. Do these tunnels have constant traffic through them? I really do not think the problems are timeout related as far as settings. One think I don't see in your IKE on the PIX is "isakmp keepalive 30". Maybe try turninig the keepalive off on the 3com's and let the PIX take over. This will send a keep alive packet every 30 seconds.
0
 

Author Comment

by:swgregg
Comment Utility
The IKE Keep alive was enabled on both ends.  I have just changed one of the branches so the 3com does NOT have IKE Keep Alive on, whilst the PIX has a 30 second keepalive.

If both were enabled, would that cause it to go down and not come back?
0
 
LVL 4

Expert Comment

by:pakitloss
Comment Utility
Not that I am aware of. I am just thinking that maybe the 3coms might respond better if they think traffic is always flowing in their direction. It's worth a try....... we're kind of running out of options. Your debugs look good. There is just one peer not found error. That leads me to believe that like you suggested the 3coms are the issue. Maybe they think the sa is still alive and are not reapering it but that could just be a connection that timed out. Do you have a method of capturing the logs by a syslog server? That way we can see what happens during an actual failure.
0
 

Author Comment

by:swgregg
Comment Utility
We are attempting to use another router, a Cisco 851.  Hoping this solves the issue.  Splitting points with packitloss and Freya as both their suggestions helped stabalize the tunnel.
0
 
LVL 4

Expert Comment

by:pakitloss
Comment Utility
Thanks swgreqq.......... glad to be able to help
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now