This is a multi-part message in MIME format.

--===============1961125237==
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C67413.58284D3B"

This is a multi-part message in MIME format.

------_=_NextPart_001_01C67413.58284D3B
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi Kindy,

It sounds like the tunnel lifetimes are not the same.=20

You have 'isakmp policy 9 lifetime 86400' which means that the tunnel =
will be torn down and renegotiated after 86400 seconds. Does the other =
side have the same lifetime? If not, the peer gateway won't be ready to =
reneg the tunnel and will (probably) spit out a Bad SPI log message for =
each of your side's negotiation attempts.

That's definately the first thing to check!

HTH,

Chris

-----Original Message-----
From: vpn-bounces+chris.meidinger=3Dbadenit.de@lists.shmoo.c om on behalf =
of Kindy Sylla
Sent: Tue 09-May-06 10:55
To: vpn@lists.shmoo.com
Subject: [VPN] Pix doesn't respond after a while
=20
Hi,
=20
I am having a strange behaviour with a Cisco PIX Firewall Version =
6.3(5). The configuration is done , the VPN are created between the 2 =
differents sites. The probl=E8me is after 5 to 6 hours of running, the =
ping to the remote hosts doesn't go through. When i try to ping a remote =
host, I see the followings line in the debug icmp trace:=20
=20
-request from inside:10.102.158.152 to 10.5.113.142 ID=3D512 =
seq=3D5376 length=3D40
44: ICMP echo-request: translating inside:10.102.158.152 to =
outside:10.102.158.152
45: ICMP echo-request from inside:10.102.158.152 to 10.5.113.142 =
ID=3D512 seq=3D5632 length=3D40
46: ICMP echo-request: translating inside:10.102.158.152 to =
outside:10.102.158.152

And When remote host try to ping a local machine, i can see the =
request coming without any reply.=20
=20
To get the ping work , we have to reload it.=20
=20
Do you have any idea? =20
=20
Please find below my config file :
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password N7FecZuSHJlVZC2P encrypted
passwd N7FecZuSHJlVZC2P encrypted
hostname pixbenin
domain-name boabenin.bj
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_vpn permit icmp 10.102.156.0 255.255.252.0 192.168.0.0 =
255.255.255.0=20
access-list acl_vpn permit ip 10.102.156.0 255.255.252.0 192.168.0.0 =
255.255.255.0=20
access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.5.113.128 =
255.255.255.224=20
access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.5.113.128 =
255.255.255.224=20
access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.102.128.0 =
255.255.254.0=20
access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.102.128.0 =
255.255.254.0=20
access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.102.130.0 =
255.255.255.128=20
access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.102.130.0 =
255.255.255.128=20
pager lines 24
mtu outside 500
mtu inside 1500
ip address outside 81.91.235.147 255.255.255.192
ip address inside 10.102.155.135 255.255.255.128
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 0 10.102.156.0 255.255.252.0 0 0
route outside 0.0.0.0 0.0.0.0 81.91.235.129 1
route inside 10.102.156.0 255.255.252.0 10.102.155.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 =
1:00:00
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 0 10.102.156.0 255.255.252.0 0 0
route outside 0.0.0.0 0.0.0.0 81.91.235.129 1
route inside 10.102.156.0 255.255.252.0 10.102.155.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 =
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+=20
aaa-server TACACS+ max-failed-attempts 3=20
aaa-server TACACS+ deadtime 10=20
aaa-server RADIUS protocol radius=20
aaa-server RADIUS max-failed-attempts 3=20
aaa-server RADIUS deadtime 10=20
aaa-server LOCAL protocol local=20
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-sha-hmac=20
crypto dynamic-map dynmap 30 set transform-set strong
crypto map toX 20 ipsec-isakmp
crypto map toX 20 match address acl_vpn
crypto map toX 20 set peer 196.200.82.35
crypto map toX 20 set transform-set strong
crypto map toX 30 ipsec-isakmp
crypto map toX 30 match address acl_blgo
crypto ipsec transform-set strong esp-3des esp-sha-hmac=20
crypto dynamic-map dynmap 30 set transform-set strong
crypto map toX 20 ipsec-isakmp
crypto map toX 20 match address acl_vpn
crypto map toX 20 set peer 196.200.82.35
crypto map toX 20 set transform-set strong
crypto map toX 30 ipsec-isakmp
crypto map toX 30 match address acl_blgo
crypto map toX 30 set peer 194.78.211.130
crypto map toX 30 set transform-set strong
crypto map toX 9990 ipsec-isakmp dynamic dynmap
crypto map toX interface outside
isakmp enable outside
isakmp key ******** address 196.200.82.35 netmask 255.255.255.255=20
isakmp key ******** address 194.78.211.130 netmask 255.255.255.255=20
isakmp identity address
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
isakmp policy 19 authentication pre-share
isakmp policy 19 encryption 3des
isakmp policy 19 hash sha
isakmp policy 19 group 2
isakmp policy 19 lifetime 86400
telnet timeout 5
ssh 194.7.174.162 255.255.255.255 outside
ssh 194.7.174.163 255.255.255.255 outside
ssh 10.102.156.0 255.255.252.0 inside
ssh 10.102.155.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:7458b1b938134f7d52ed82d4e2003210
=20
Regrds,
=20
Kindy
=20

=09
---------------------------------
Faites de Yahoo! votre page d'accueil sur le web pour retrouver =
directement vos services pr=E9f=E9r=E9s : v=E9rifiez vos nouveaux mails, =
lancez vos recherches et suivez l'actualit=E9 en temps r=E9el. Cliquez =
ici.


------_=_NextPart_001_01C67413.58284D3B
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable




charset=3Diso-8859-1">
6.5.7226.0">
RE: [VPN] Pix doesn't respond after a while




Hi Kindy,



It sounds like the tunnel lifetimes are not the same.



You have 'isakmp policy 9 lifetime 86400' which means that the tunnel =
will be torn down and renegotiated after 86400 seconds. Does the other =
side have the same lifetime? If not, the peer gateway won't be ready to =
reneg the tunnel and will (probably) spit out a Bad SPI log message for =
each of your side's negotiation attempts.



That's definately the first thing to check!



HTH,



Chris



-----Original Message-----

From: vpn-bounces+chris.meidinger=3Dbadenit.de@lists.shmoo.c om on behalf =
of Kindy Sylla

Sent: Tue 09-May-06 10:55

To: vpn@lists.shmoo.com

Subject: [VPN] Pix doesn't respond after a while



Hi,

  

  I am having a strange behaviour with a Cisco PIX Firewall Version =
6.3(5). The configuration is done , the VPN are created between the 2 =
differents sites. The probl=E8me is after 5 to 6 hours of running, the =
ping to the remote hosts doesn't go through. When i try to ping a remote =
host, I see the followings line in the debug icmp trace:

  

  -request from inside:10.102.158.152 to 10.5.113.142 ID=3D512 =
seq=3D5376 length=3D40

44: ICMP echo-request: translating inside:10.102.158.152 to =
outside:10.102.158.152

45: ICMP echo-request from inside:10.102.158.152 to 10.5.113.142 =
ID=3D512 seq=3D5632 length=3D40

46: ICMP echo-request: translating inside:10.102.158.152 to =
outside:10.102.158.152



  And When remote host try to ping a local machine, i can see the =
request coming without any reply.

  

  To get the ping work , we have to reload it.

  

  Do you have any idea? 

  

  Please find below my config file :

  PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password N7FecZuSHJlVZC2P encrypted

passwd N7FecZuSHJlVZC2P encrypted

hostname pixbenin

domain-name boabenin.bj

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list acl_vpn permit icmp 10.102.156.0 255.255.252.0 192.168.0.0 =
255.255.255.0

access-list acl_vpn permit ip 10.102.156.0 255.255.252.0 192.168.0.0 =
255.255.255.0

access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.5.113.128 =
255.255.255.224

access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.5.113.128 =
255.255.255.224

access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.102.128.0 =
255.255.254.0

access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.102.128.0 =
255.255.254.0

access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.102.130.0 =
255.255.255.128

access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.102.130.0 =
255.255.255.128

pager lines 24

mtu outside 500

mtu inside 1500

ip address outside 81.91.235.147 255.255.255.192

ip address inside 10.102.155.135 255.255.255.128

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

nat (inside) 0 10.102.156.0 255.255.252.0 0 0

route outside 0.0.0.0 0.0.0.0 81.91.235.129 1

route inside 10.102.156.0 255.255.252.0 10.102.155.129 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 =
1:00:00

ip audit attack action alarm

pdm history enable

arp timeout 14400

nat (inside) 0 10.102.156.0 255.255.252.0 0 0

route outside 0.0.0.0 0.0.0.0 81.91.235.129 1

route inside 10.102.156.0 255.255.252.0 10.102.155.129 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 =
1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-3des esp-sha-hmac

crypto dynamic-map dynmap 30 set transform-set strong

crypto map toX 20 ipsec-isakmp

crypto map toX 20 match address acl_vpn

crypto map toX 20 set peer 196.200.82.35

crypto map toX 20 set transform-set strong

crypto map toX 30 ipsec-isakmp

crypto map toX 30 match address acl_blgo

crypto ipsec transform-set strong esp-3des esp-sha-hmac

crypto dynamic-map dynmap 30 set transform-set strong

crypto map toX 20 ipsec-isakmp

crypto map toX 20 match address acl_vpn

crypto map toX 20 set peer 196.200.82.35

crypto map toX 20 set transform-set strong

crypto map toX 30 ipsec-isakmp

crypto map toX 30 match address acl_blgo

crypto map toX 30 set peer 194.78.211.130

crypto map toX 30 set transform-set strong

crypto map toX 9990 ipsec-isakmp dynamic dynmap

crypto map toX interface outside

isakmp enable outside

isakmp key ******** address 196.200.82.35 netmask 255.255.255.255

isakmp key ******** address 194.78.211.130 netmask 255.255.255.255

isakmp identity address

isakmp policy 9 authentication pre-share

isakmp policy 9 encryption 3des

isakmp policy 9 hash sha

isakmp policy 9 group 1

isakmp policy 9 lifetime 86400

isakmp policy 19 authentication pre-share

isakmp policy 19 encryption 3des

isakmp policy 19 hash sha

isakmp policy 19 group 2

isakmp policy 19 lifetime 86400

telnet timeout 5

ssh 194.7.174.162 255.255.255.255 outside

ssh 194.7.174.163 255.255.255.255 outside

ssh 10.102.156.0 255.255.252.0 inside

ssh 10.102.155.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:7458b1b938134f7d52ed82d4e2003210

 

Regrds,

  

  Kindy

  



        =
       

---------------------------------

 Faites de Yahoo! votre page d'accueil sur le web pour retrouver =
directement vos services pr=E9f=E9r=E9s : v=E9rifiez vos nouveaux mails, =
lancez vos recherches et suivez l'actualit=E9 en temps r=E9el. Cliquez =
ici.








------_=_NextPart_001_01C67413.58284D3B--

--===============1961125237==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
VPN mailing list
VPN@lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn
--===============1961125237==--