Re: Cisco VPN Client issues with PIX 506e

From: "chrismtoth@xxxxxxxxx" <chrismtoth@xxxxxxxxx>
Date: 14 Sep 2006 13:13:00 -0700

Thanks again for your detailed and very informative response.

I called up all of our VPN users, and confirmed that all of their home
PCs indeed are unique from one another. So there is no conflict of
names happening.

I also got a call from a VPN user a little bit ago complaining about
their inability to access the network through the VPN. So instead of
doing a 'reload', I followed your suggestion and did a 'clear ipsec
sa'.

I have yet to hear from them, but hopefully that did the trick.

Unfortunately, if that did work, I am still stuck logging into the PIX
and typing in a command everytime a user can't connect.

Walter Roberson wrote:

In article <1158254650.494945.22710@xxxxxxxxxxxxxxxxxxxxxxxxxxx>,
chrismtoth@xxxxxxxxx <chrismtoth@xxxxxxxxx> wrote:

I don't believe that the clients are having their IPs changed in the
middle of a session as 99% of the clients are through
broadband....although I guess it's surely possible.

So you are saying, I would have to give each client PC a distinct name
on the PIX? How would the PIX know which is which? If Client_27 is
logging into the VPN from home today, and he's running Windows XP
through a cable modem, how would the PIX know who is what other than by
IP?

Not a unique name on the PIX: a unique name in the XP "Computer Name"
control panel. I've noticed that on most Dell systems that the
default computer name comes out something akin to Dell_ followed by
the hex of most of the MAC address of the system; that's certainly
unique enough. But for a lot of other systems, the name ends up as
"HOME" or "WORK" or "MY PC", or someone's first name, and those all
need to be uniquified in order for "isakmp identity hostname" to
work.

For this purpose, it doesn't matter what the name -is-, only that
it is unique amongst all of your VPN users, so that when the connecting
PC reaches the PIX and sends the PC's name, the PIX can immediately
recognize that it already has Security Associations under that name.

The problem, you see, is that if a VPN host leaves a connection
except through a session-lifetime timeout or formal disconnect, then
the security associations (SAs) are left intact, because TCP/IP cannot
inherently tell the difference between a connection that vapourized
and a connection that is just slow (or a connection that get fouled up
but will be put back together exactly the same way, allowing the
communications to resume right where they left off.) When the client
disconnection leaving SA's there, and then calls up and presents itself
by IP and that IP isn't the same one as is listed against the previous
time, then as far as the PIX can tell this is a -new- connection for
someone different. But the old Security Associations are still there
and still intercepting the traffic for that destination, still
expecting that old connection to come back to life, so packets
don't reliably get delivered back to the client (they get queued
for the old Security Association instead.)

When, though, a client with a unique name (or a fixed and unchanging
IP address) reconnects, it sends an ISAKMP token that means "I'm
back, throw away all the old Security Associations that are listed
against my ID". The PIX looks through the SA table, sees the old ones
with the matching ID, clears them out, and then the new SAs are
negotiated. Traffic can start flowing immediately because there is
no old SA hanging around intercepting the traffic and trying to send
it to the old address.

But this only works if the clients have unique fixed IP addresses
(isakmp identity address), or have unique fixed internal hostnames
(isakmp identity hostname): otherwise on the recall, the new ID
doesn't match and the old cruft stays around until it times out.

Follow-Ups:
- Re: Cisco VPN Client issues with PIX 506e
  - From: Walter Roberson

References:
- Cisco VPN Client issues with PIX 506e
  - From: chrismtoth
- Re: Cisco VPN Client issues with PIX 506e
  - From: Walter Roberson
- Re: Cisco VPN Client issues with PIX 506e
  - From: chrismtoth@xxxxxxxxx
- Re: Cisco VPN Client issues with PIX 506e
  - From: Walter Roberson

Prev by Date: Re: Need help Port forwarding on PIX 501
Next by Date: Internet Lines
Previous by thread: Re: Cisco VPN Client issues with PIX 506e
Next by thread: Re: Cisco VPN Client issues with PIX 506e
Index(es):
- Date
- Thread

Relevant Pages

Re: Cisco VPN Client issues with PIX 506e
... How would the PIX know which is which? ... recognize that it already has Security Associations under that name. ... The problem, you see, is that if a VPN host leaves a connection ... don't reliably get delivered back to the client (they get queued ...
(comp.dcom.sys.cisco)
Re: PPTP Clients loose connection to cisco PIX 506E after a while..
... A customer of mine have just gotten a new Cisco Pix 506E, ... I've heard is that they loose connection after a while, ... pdm location 213.179.57.7 255.255.255.255 outside ... timeout xlate 0:05:00 ...
(comp.dcom.sys.cisco)
Re: PIX 501 help please!
... > PIX rebooted. ... (tried straight through and X-Over cables from PIX to modem) ... Checking the LEDs on the pix to ensure connection, ... enter and it should write the configuration to memory. ...
(comp.security.firewalls)
PIX Firewalls cut-through proxy
... Cisco PIX handles HTTP connections? ... Cisco http connection management is as follows: ... In User Service and policy is checked, the PIX Firewall shifts ...
(Security-Basics)
Re: PIX 501 help please!
... hyper terminal console. ... >> PIX rebooted. ... Checking the LEDs on the pix to ensure connection, ... > enter and it should write the configuration to memory. ...
(comp.security.firewalls)