Cisco VPN to PIX 515e

Posted on 2009-04-02
Last Modified: 2012-06-21
We have a VPN client to PIX 515e which is very slow when using low bandwidth tools like RDP.

VoIP calls timeout.  Ping to internal hosts is intermittent.

I have tried everything that I can think of:

1) mtu outside 1270 (tried many size between 1270 to 1500)
2) used article
3) change MTU on Windows client to 1300 and 1270
4) change MSS on PIX to 1270

Code is attached.

Please advise.
Building configuration...

Cryptochecksum: 8534c9b8 62370cf6 89149cb5 75337290 


Revera-OAKMEAD-PIX515-01# show runn

: Saved


PIX Version 6.3(4)

interface ethernet0 10full

interface ethernet1 auto

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

enable password yIO37C.EikMd92oc encrypted

passwd yIO37C.EikMd92oc encrypted

hostname Revera-OAKMEAD-PIX515-01


fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


access-list nonat remark New Office Local LAN to Old Office

access-list nonat permit ip 

access-list nonat remark New Office Local LAN to VPN Pool

access-list nonat permit ip 

access-list nonat remark access-list nonat remark Requires "nat (inside) 0 access-list nonat" below

access-list Split_Tunnel_List remark Instruct VPN client to tunnel only this network

access-list Split_Tunnel_List permit ip any 

access-list INBOUND permit ip 

access-list INBOUND permit ip 

access-list INBOUND permit tcp any host eq pop3 

access-list INBOUND permit tcp any host eq imap4 

access-list INBOUND permit tcp any host eq www 

access-list INBOUND permit tcp any host eq https 

access-list INBOUND permit tcp any host eq smtp 

access-list INBOUND permit tcp any host eq 993 

access-list INBOUND permit tcp any host eq 995 

access-list INBOUND permit icmp any any echo 

access-list INBOUND permit icmp any any echo-reply 

access-list INBOUND permit icmp any any source-quench 

access-list INBOUND permit icmp any any unreachable 

access-list INBOUND permit icmp any any time-exceeded 

access-list TO_REVERA_KIFER permit ip 

pager lines 24

logging on

logging buffered debugging

mtu outside 1270

mtu inside 1500

mtu intf2 1500

ip address outside

ip address inside

no ip address intf2

ip audit info action alarm

ip audit attack action alarm

ip local pool remoteaccess

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0 0

static (inside,outside) netmask 0 0 

access-group INBOUND in interface outside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+ 

aaa-server TACACS+ max-failed-attempts 3 

aaa-server TACACS+ deadtime 10 

aaa-server RADIUS protocol radius 

aaa-server RADIUS max-failed-attempts 3 

aaa-server RADIUS deadtime 10 

aaa-server LOCAL protocol local 

aaa-server partnerauth protocol radius 

aaa-server partnerauth max-failed-attempts 3 

aaa-server partnerauth deadtime 10 

aaa-server partnerauth (inside) host Y7!a3p#Q timeout 5

aaa authentication ssh console LOCAL

snmp-server host inside poll

snmp-server location Revera Santa Clara, CA

snmp-server contact Bruce Newcome

snmp-server community rev3090ro

no snmp-server enable traps

floodguard enable

sysopt connection tcpmss 1270

sysopt connection permit-ipsec

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set myset esp-3des esp-sha-hmac 

crypto ipsec security-association lifetime seconds 86400

crypto dynamic-map dynmap 40 set transform-set myset

crypto dynamic-map dynmap 40 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map CRYPTO 65000 ipsec-isakmp dynamic dynmap

crypto map CRYPTO client authentication partnerauth LOCAL

crypto map CRYPTO interface outside

isakmp enable outside

isakmp key ******** address netmask no-xauth 

isakmp key ******** address netmask 

isakmp key ******** address netmask no-xauth 

isakmp identity address

isakmp keepalive 10

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

vpngroup vpn3000 address-pool remoteaccess

vpngroup vpn3000 dns-server

vpngroup vpn3000 wins-server

vpngroup vpn3000 default-domain

vpngroup vpn3000 split-tunnel Split_Tunnel_List

vpngroup vpn3000 idle-time 86400

vpngroup vpn3000 password ********

telnet outside

telnet inside

telnet timeout 5

ssh outside

ssh inside

ssh timeout 30

management-access inside

console timeout 0

username bschueler password S75N5nuc9sU/xHOQ encrypted privilege 2

username jhotchkiss password qyYsss8AItWI6stb encrypted privilege 15

username adeshpande password 5af0j96SEJuTqGIO encrypted privilege 2

username admin password AU/GEF7OfkiXd9Fn encrypted privilege 15

username dreed password Rxmk1U8nDa5CxSMY encrypted privilege 2

username user1 password tJsDL6po9m1UFs.h encrypted privilege 2

username bnewcome password Bs6y6Q03BlIQm2G9 encrypted privilege 2

username jfanton password BW3gZonLFl9RFBAj encrypted privilege 2

terminal width 80


: end

Open in new window

Question by:hotchkissj
  • 5
  • 3
LVL 33

Accepted Solution

MikeKane earned 500 total points
ID: 24053803
First, the MTU on t he PIX would usually remain at 1500 and let the edge routers specify the MTU and MSS for the connections.    
Second, what bandwidth does this vpn client have available?   IF its a 56k DSL shared from a home with a family, there's probably not alot left...  
Third, do any other VPN client have the same issue?

Author Comment

ID: 24053887
Thanks for your reply and direction.

These are all DSL/Cable connected home users.

Yes, multiple users are having the same issues.

Also, Ethereal shows alot of fragmentation between the vpn client and Pix.  Fragmentation appears to be the root issue.  How do I address this?

What to do you make of the below recommendations?  They appear to run counter to your direction.

Can I adjust PMTU setting in PIX 6.x?


Author Comment

ID: 24053969
Also, the connection is closing at a very predictable time.

Always 0:49, almost to the sec 0:49:50.  See attached

This is a timeout,  Eventhough I changed:

crypto ipsec security-association lifetime seconds 86400

isakmp policy 1 lifetime 86400

vpngroup vpn3000 idle-time 86400
LVL 33

Expert Comment

ID: 24060207
86400 translates to 24 hours, so to same time daily makes sense.    After 24 hours, you must re-key to keep the tunnel alive.  

IF you suspect that fragmentation is the issue, try this little utility:
It will find the maximum MTU between your PC and a remote host.    I use it all the time.  

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.


Author Comment

ID: 24061719
Thanks for the mturoute utility.  I discovered the MTU from me to every host is 1300 including non-tunnel hosts.

What do I do with this info?

Make the change on the client side?  Cisco recommends on the router?

Thanks, Jason
LVL 33

Expert Comment

ID: 24087269
I have always made the MTU and MSS adjustments on the router.   I don't recall ever doing this on the firewall, not that it would be incorrect, just different admins use different techniques.

Author Comment

ID: 24091598

Thanks for your comment.  In this case, the PIX is the client owned edge router and firewall.  The next upstream router is owned and operated by the ISP.

I am not sure if they would change it if requested.


Author Closing Comment

ID: 31565944
no solution

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

948 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now