Re: PPTP Clients loose connection to cisco PIX 506E after a while..

On Apr 26, 6:59 am, t...@xxxxxxxxxxxx wrote:
Hi all,
A customer of mine have just gotten a new Cisco Pix 506E, and we are
experiencing some trouble with it. Hope some of you can point me in
the right direction to fix this...

1. Using PDM on the inside, I loose connection to the PDM java app
after a while. Have to close the browser all together and log back on
to access it. Have anyone experienced this? (Tried different browsers,
same result)

2. VPN Users use PPTP to access the firewall. Most of the clients are
on Windows Vista, but XP users reportedly also have problems. What
I've heard is that they loose connection after a while, altthough the
connection icon still tells the user that he/she is connected.
Workaround is to manually disconnect and connect again.

Should I try to play with the MTU size on the inside interface to see
if this can have any effect?

I have never had these problems on a PIX before, so I'm not sure where
to start looking for errors. I have installed a syslog server that
hopefully will give me some info, but any pointers would be deeply
appreciated. My config is as follows:

mtu inside 1500
ip address outside xxx.xxx.44.62 255.255.252.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPool 192.168.1.101-192.168.1.150 mask 255.255.255.0
pdm location 192.168.1.2 255.255.255.255 inside
pdm location 213.179.57.7 255.255.255.255 outside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 192.168.1.24 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 192.168.1.24 www netmask
255.255.255.255 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.44.61 10
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 5
aaa-server RADIUS deadtime 1
aaa-server RADIUS (inside) host 192.168.1.2 cisco timeout 5
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
isakmp nat-traversal 20
telnet 84.209.249.249 255.255.255.255 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group PPTP_VPN accept dialin pptp
vpdn group PPTP_VPN ppp authentication chap
vpdn group PPTP_VPN client configuration address local VPNPool
vpdn group PPTP_VPN client configuration dns 192.168.1.2
vpdn group PPTP_VPN pptp echo 60
vpdn group PPTP_VPN client authentication local
vpdn username cisco password *********
vpdn username vpn password *********
vpdn username trond password *********
vpdn enable outside
dhcpd address 192.168.1.20-192.168.1.100 inside
dhcpd dns 192.168.1.2 84.20.96.10
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:
: end
[OK]

Best regards,
Trond Hindenes
Norway




Good day

I'm not as much an expert on the PIX firewall, but is it possible that
the connections are timing out due to inactivity? Are the users
actively working using that VPN link when it stops responding? You
could look at what the default timeout is on the connection (though I
should think the software would disconnect at that point; maybe a bug
in the software or on the PIX OS with PPTP?)

Also, as to the idea about MTU, what kind of connection is the PIX
connected to? If it's ADSL, or any ATM link for that matter, you may
have to play with it (normally, I set the MTU on the WAN at 1452 bytes
when dealing with ATM). Otherwise, you shouldn't have to play with
the MTU. Ethernet has to run 1500 bytes, so your config looks ok that
way.

Hope this helps a little

.

Relevant Pages

  • Pix 515 - upgrade from 635 to 722 - sendmail breaks
    ... Last night I installed more RAM and upgraded the PIX to 7.22. ... sendmail logs and I was receiving these messages: ... read timeout on connection from m4.campaignmonitor.com, ...
    (comp.dcom.sys.cisco)
  • Pix 515 - upgrade from 635 to 722 - sendmail breaks
    ... Last night I installed more RAM and upgraded the PIX to 7.22. ... sendmail logs and I was receiving these messages: ... read timeout on connection from m4.campaignmonitor.com, ...
    (comp.dcom.sys.cisco)
  • RE: "The connection was dropped by the remote host"
    ... I see the log entries showing the connection, the mail from, the mail to ... > server drops the connection with a timeout. ... > The problem has happend at the same time, to at least 3 servers all ... > fixup smtp as suggested by MS, and Cisco, although the pix is runnin on ...
    (microsoft.public.inetserver.iis.smtp_nntp)
  • Re: VPN Timeout
    ... :I would like to set timeout on VPN connection on my PIX 515 firewall. ... There aren't really VPN timeouts on PIX, ...
    (comp.dcom.sys.cisco)
  • Re: OE6 does not connect with pop3 server
    ... Can we infer from this that you got a timeout on the EarthLink account ... My point about making an approximate timestamp is just to look at the ... E.g. as near as possible before the connection ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)