Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
272
Views
0
Helpful
2
Replies

PIX501 and VPN client inconsistent connections.

sanjaybhamoo
Level 1
Level 1

‎12-19-2006 07:35 AM

This is my network setup

internet--- linksys firewall--cisco pix--myLAN

I have cisco pix 501 with IOS 6.3(4).

and running Cisco VPN client 4.6.04.config is IPSEC over UDP

I have a linksys firewall behind which the pix sits, I have forwarded UDP

port 4500, 500, TCP 10000 to the pix. for some reason the vpn client

connects from some internet connections and from some it does not and I

do not get any error messages.

Funny thing is when I reboot my Linksys firewall I am able to connect using VPN client but after about few hour it stops connecting again, then if I reboot linksys fiewall it will connect.

I have attached the log file from the vpn client, when it was not

connecting. Thanks for the help.

RTR

--------------------------------------------------------------------------------------------------------------------------

1 23:42:27.997 12/14/06 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with 71.78.123.220.

2 23:42:28.017 12/14/06 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd),

VID(Nat-T), VID(Frag), VID(Unity)) to 71.78.123.220

3 23:42:28.037 12/14/06 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

4 23:42:28.037 12/14/06 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

5 23:42:33.034 12/14/06 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

6 23:42:33.034 12/14/06 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 71.78.123.220

7 23:42:38.041 12/14/06 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

8 23:42:38.041 12/14/06 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 71.78.123.220

9 23:42:43.048 12/14/06 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

10 23:42:43.048 12/14/06 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 71.78.123.220

11 23:42:48.055 12/14/06 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=7C22991E7FF28FA8

R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

12 23:42:48.556 12/14/06 Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=7C22991E7FF28FA8

R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

13 23:42:48.596 12/14/06 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

14 23:42:48.626 12/14/06 Sev=Info/4 IKE/0x63000086

Microsoft IPSec Policy Agent service started successfully

15 23:42:49.067 12/14/06 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

16 23:42:49.067 12/14/06 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

17 23:42:49.067 12/14/06 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

18 23:42:49.067 12/14/06 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

Labels:
0 Helpful
2 Replies 2

bwilmoth
Level 5
Level 5

‎12-26-2006 08:23 AM

Check the life time of isakmp and SA in PIX.

Try this link:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63rnotes/pixrn634.htm#wp32082

Also check the bug-id:CSCeg30023

0 Helpful

5220
Level 4
Level 4
In response to bwilmoth

‎01-03-2007 01:36 PM

Hi,

You should allow UDP 10000, not TCP. Try manually setting the MTU on the Cisco VPN client (SetMTU to 1300 or 1200). As well, if no NAT is performed, allow IP 50 (ESP). Full list: UDP 500, 4500, 10000; ICMP; IP 50

Rate if this helped.

Daniel

0 Helpful
Customers Also Viewed These Support Documents