Link to home
Start Free TrialLog in
Avatar of LiberatingInsight
LiberatingInsight

asked on

VPN between Cisco ASA 5505 and Netgear FVS318

I have a client with a Cisco ASA 5505 in their main office.  They need to get a VPN setup between that and 2 of their remote offices.  Each office has/will have a static IP address.  My original plan was to purchase additional Cisco ASAs for each site but the models are constrained from all my vendors and even CDW and PCConnection.  I was looking at the Netgear FVS318 and I think it will work as a VPN endpoint.  Has anyone ran this configuration?  Any other thoughts?
ASKER CERTIFIED SOLUTION
Avatar of gavving
gavving
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of LiberatingInsight
LiberatingInsight

ASKER

I ended up finding a used Cisco PIX 501 that I had replaced for a client.  I installed it and have the tunnel working finally but I am having some issues where the users say they loose connection and then it comes back in a few mins.  I don't know what to blame it on.  A good part of me says it is bandwidth issues since both sides are on cable internet service and also they are running VoIP phones and a LoB program that is not made for WAN deployment.  Has anyone heard of Cisco ASA 5505 to PIX 501 (6.3) having issues?
Ordinarily I don't have any problems with VPN connections between ASA5505's and PIX 501s, if the VPN is configured correctly.   You might check to make sure that the VPN is capable of being initiated from either direction.  I.e. you should be able to clear the VPN using the commands:

clear crypto ipsec sa
clear crypto isakmp sa

(may need parameters if you only want to clear one tunnel)

Then initiate a ping from one side to device on the other side that responds to ping.  It should drop one may be 2 pings then come up and start responding.  If it doesn't come up like that for both sides then you may have a config problem that's not allowing traffic from either end to initiate the tunnel.

FYI you might want to open a new question regarding this problem.
Sounds like a mismatch in the key lifetime.  Thats one of the few settings that will allow the tunnel to start initially without matching on both ends.  The lifetime will expire on one end but the remote end won't allow a new session to that node because it still sees the old key.