Cisco VPN to PIX 515e

We have a VPN client to PIX 515e which is very slow when using low bandwidth tools like RDP.

VoIP calls timeout.  Ping to internal hosts is intermittent.

I have tried everything that I can think of:

1) mtu outside 1270 (tried many size between 1270 to 1500)
2) used article http://fengnet.com/book/VPNconf/ch12lev1sec6.html
3) change MTU on Windows client to 1300 and 1270
4) change MSS on PIX to 1270

Code is attached.

Please advise.
Building configuration...
Cryptochecksum: 8534c9b8 62370cf6 89149cb5 75337290 
[OK]
Revera-OAKMEAD-PIX515-01# show runn
: Saved
:
PIX Version 6.3(4)
interface ethernet0 10full
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password yIO37C.EikMd92oc encrypted
passwd yIO37C.EikMd92oc encrypted
hostname Revera-OAKMEAD-PIX515-01
domain-name revera.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list nonat remark New Office Local LAN to Old Office
access-list nonat permit ip 10.100.64.0 255.255.240.0 10.100.60.0 255.255.254.0 
access-list nonat remark New Office Local LAN to VPN Pool
access-list nonat permit ip 10.100.64.0 255.255.240.0 10.100.80.0 255.255.254.0 
access-list nonat remark access-list nonat remark Requires "nat (inside) 0 access-list nonat" below
access-list Split_Tunnel_List remark Instruct VPN client to tunnel only this network
access-list Split_Tunnel_List permit ip 10.100.64.0 255.255.240.0 any 
access-list INBOUND permit ip 10.100.60.0 255.255.254.0 10.100.64.0 255.255.240.0 
access-list INBOUND permit ip 10.100.80.0 255.255.254.0 10.100.64.0 255.255.240.0 
access-list INBOUND permit tcp any host 209.172.118.211 eq pop3 
access-list INBOUND permit tcp any host 209.172.118.211 eq imap4 
access-list INBOUND permit tcp any host 209.172.118.211 eq www 
access-list INBOUND permit tcp any host 209.172.118.211 eq https 
access-list INBOUND permit tcp any host 209.172.118.211 eq smtp 
access-list INBOUND permit tcp any host 209.172.118.211 eq 993 
access-list INBOUND permit tcp any host 209.172.118.211 eq 995 
access-list INBOUND permit icmp any any echo 
access-list INBOUND permit icmp any any echo-reply 
access-list INBOUND permit icmp any any source-quench 
access-list INBOUND permit icmp any any unreachable 
access-list INBOUND permit icmp any any time-exceeded 
access-list TO_REVERA_KIFER permit ip 10.100.64.0 255.255.240.0 10.100.60.0 255.255.254.0 
pager lines 24
logging on
logging buffered debugging
mtu outside 1270
mtu inside 1500
mtu intf2 1500
ip address outside 209.172.118.210 255.255.255.248
ip address inside 10.100.64.1 255.255.240.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
ip local pool remoteaccess 10.100.80.200-10.100.80.254
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.100.64.0 255.255.240.0 0 0
static (inside,outside) 209.172.118.211 10.100.64.87 netmask 255.255.255.255 0 0 
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 209.172.118.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
aaa-server partnerauth protocol radius 
aaa-server partnerauth max-failed-attempts 3 
aaa-server partnerauth deadtime 10 
aaa-server partnerauth (inside) host 10.100.64.70 Y7!a3p#Q timeout 5
aaa authentication ssh console LOCAL
snmp-server host inside 10.100.64.70 poll
snmp-server location Revera Santa Clara, CA
snmp-server contact Bruce Newcome
snmp-server community rev3090ro
no snmp-server enable traps
floodguard enable
sysopt connection tcpmss 1270
sysopt connection permit-ipsec
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set myset esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 86400
crypto dynamic-map dynmap 40 set transform-set myset
crypto dynamic-map dynmap 40 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map CRYPTO 65000 ipsec-isakmp dynamic dynmap
crypto map CRYPTO client authentication partnerauth LOCAL
crypto map CRYPTO interface outside
isakmp enable outside
isakmp key ******** address 64.95.100.7 netmask 255.255.255.255 no-xauth 
isakmp key ******** address 209.172.118.210 netmask 255.255.255.255 
isakmp key ******** address 207.47.36.26 netmask 255.255.255.255 no-xauth 
isakmp identity address
isakmp keepalive 10
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
vpngroup vpn3000 address-pool remoteaccess
vpngroup vpn3000 dns-server 10.100.64.80
vpngroup vpn3000 wins-server 10.100.64.80
vpngroup vpn3000 default-domain revera.com
vpngroup vpn3000 split-tunnel Split_Tunnel_List
vpngroup vpn3000 idle-time 86400
vpngroup vpn3000 password ********
telnet 0.0.0.0 0.0.0.0 outside
telnet 10.100.64.0 255.255.240.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.100.64.0 255.255.240.0 inside
ssh timeout 30
management-access inside
console timeout 0
username bschueler password S75N5nuc9sU/xHOQ encrypted privilege 2
username jhotchkiss password qyYsss8AItWI6stb encrypted privilege 15
username adeshpande password 5af0j96SEJuTqGIO encrypted privilege 2
username admin password AU/GEF7OfkiXd9Fn encrypted privilege 15
username dreed password Rxmk1U8nDa5CxSMY encrypted privilege 2
username user1 password tJsDL6po9m1UFs.h encrypted privilege 2
username bnewcome password Bs6y6Q03BlIQm2G9 encrypted privilege 2
username jfanton password BW3gZonLFl9RFBAj encrypted privilege 2
terminal width 80
Cryptochecksum:8534c9b862370cf689149cb575337290
: end

Open in new window

hotchkissjAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MikeKaneCommented:
First, the MTU on t he PIX would usually remain at 1500 and let the edge routers specify the MTU and MSS for the connections.    
Second, what bandwidth does this vpn client have available?   IF its a 56k DSL shared from a home with a family, there's probably not alot left...  
Third, do any other VPN client have the same issue?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
hotchkissjAuthor Commented:
Thanks for your reply and direction.

These are all DSL/Cable connected home users.

Yes, multiple users are having the same issues.

Also, Ethereal shows alot of fragmentation between the vpn client and Pix.  Fragmentation appears to be the root issue.  How do I address this?

What to do you make of the below recommendations?  They appear to run counter to your direction.

Can I adjust PMTU setting in PIX 6.x?

http://fengnet.com/book/VPNconf/ch12lev1sec6.html
http://www.cisco.com/en/US/products/ps612/products_configuration_example09186a008081e621.shtml

0
hotchkissjAuthor Commented:
Also, the connection is closing at a very predictable time.

Always 0:49, almost to the sec 0:49:50.  See attached

This is a timeout,  Eventhough I changed:

crypto ipsec security-association lifetime seconds 86400

isakmp policy 1 lifetime 86400

vpngroup vpn3000 idle-time 86400
VPN-timeout-message.doc
0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

MikeKaneCommented:
86400 translates to 24 hours, so to same time daily makes sense.    After 24 hours, you must re-key to keep the tunnel alive.  

IF you suspect that fragmentation is the issue, try this little utility: http://www.elifulkerson.com/projects/mturoute.php
It will find the maximum MTU between your PC and a remote host.    I use it all the time.  


0
hotchkissjAuthor Commented:
Thanks for the mturoute utility.  I discovered the MTU from me to every host is 1300 including non-tunnel hosts.

What do I do with this info?

Make the change on the client side?  Cisco recommends on the router?

Thanks, Jason
0
MikeKaneCommented:
I have always made the MTU and MSS adjustments on the router.   I don't recall ever doing this on the firewall, not that it would be incorrect, just different admins use different techniques.
0
hotchkissjAuthor Commented:
Mike,

Thanks for your comment.  In this case, the PIX is the client owned edge router and firewall.  The next upstream router is owned and operated by the ISP.

I am not sure if they would change it if requested.

Jason
0
hotchkissjAuthor Commented:
no solution
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.