PIX 515E dropping existing TCP connections



I recently took over administration of a PIX 515E. I think I have a good
understanding of networking and VPNs, however I've never dealt with Cisco
devices before, so please forgive me if I use any incorrect terminology
or ask any silly questions.

The problem we're having is that the PIX seems to drop connections that
use more than a tiny bit of bandwidth. I have a workstation on a public
network, and VPN to the PIX to access a private network. I believe that
this is called "split tunneling."

When the VPN is connected, I can SSH to hosts on the private network.
This works fine for simple command line sessions. However, when I try to
copy files over SSH (using scp) to the hosts on the private network, the
PIX drops the connection after transferring just a few kilobytes.

Since both the command line sessions and scp are running over the same
port to the same host, the only difference I can see is that scp requires
a lot more bandwidth. That is why I suspect that the PIX is dropping
connections that use more than a tiny bit of bandwidth. When the
connection is dropped, I see the following message in the PIX's log:
302015: Built inbound TCP connection 45281 for outside:10.100.3.116/54568
(10.100.3.116/54568) to inside: 10.100.14.2/22 (10.100.14.2/22)
110001: No route to 128.36.236.149 from 128.36.236.114

In the above, 128.36.236.149 is my workstation, 128.36.236.114 is the
public address of the PIX, 10.100.3.116 is the VPN address of my
workstation, and 10.100.14.2 is the host on the private network that I am
connecting to. Obviously there is a route between 128.36.236.149 and
128.36.236.114, otherwise the VPN wouldn't work at all. The "no route"
message repeats itself several times.

I have another issue that may or may not be related. There is a switch
on the private network that uses a web interface for administration.
When I am connected to the VPN, I can get to the login screen of the web
interface of the switch, however as soon as I click "login", the PIX
drops the TCP connection entirely. At that point, this message shows up
in the PIX's log:
106015: Deny TCP (no connection) from 10.100.3.116/39576 to
10.100.14.200/80 flags PSH ACK on interface outside

10.100.3.116 is my workstation's VPN IP, and 10.100.14.200 is the switch
on the private network that I am trying to use the web interface of.
Obviously if I can get to the login screen of the switch, I am able to
access 10.100.14.200 port 80 from 10.100.3.116 without being denied. I
don't understand why the PIX would then deny the same connection at a
later time.

Any help with these issues would be greatly appreciated. I apologize if
I mistyped any of these log messages.. by the way, is there a way to copy
and paste log messages from the Windows Cisco ASDM client? I can't seem
to figure out how to do it...
.



Relevant Pages

  • Re: OT By a mile in parts comments on Viet Nam
    ... check bank accouts etc etc whilst away but is safe to do so over wireless and using the hotel network.. ... you should regard your connection as insecure and use some ... form of encryption to protect your passwords and privacy. ... My recommendation would be to set up a VPN endpoint in the UK that you ...
    (uk.comp.sys.mac)
  • Re: OT By a mile in parts comments on Viet Nam
    ... compared with the risks already inherent in the average hotel network. ... you should regard your connection as insecure and use some ... form of encryption to protect your passwords and privacy. ... My recommendation would be to set up a VPN endpoint in the UK that you ...
    (uk.comp.sys.mac)
  • Re: Remote Client Configuration
    ... > remote computer to SBS 2003 domain via VPN connection after the remote ... > connection when user logon to the remote computer. ... I dont think that the Network Configuration website would work to connect to ... "The Small Business Server Network Configuration Wizard ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN issues on SBS2003 with ISA 2004 installed
    ... I had to create a VPN connection using the network connection wizard on ... Based on our work above, it seems the problem in client side, so I suggest ...
    (microsoft.public.windows.server.sbs)
  • RE: [fw-wiz] PIX split tunneling
    ... Split tunneling is an excellent option for saving bandwidth and SA's on your ... To use a VPN the user would need access to the internet ( ... on a public network then if they change the config then they change it. ... If your users are inside the PIX then I don't understand the question. ...
    (Firewall-Wizards)