PIX 506 & 3000 Concentrator

I have a site to site VPN from my PIX to a clients VPN 3000 concentrator. The tunnel drops when there is no traffic and only comes back up when they ping or generate trafic from the VPN concentrator 3000, Till then trafic through the PIX 506 does not go through. Please help??

DPD or dead peer detection which is enabled by default should prevent this. Guess, you are running an older version of the OS that does not support DPD. Support for DPD on Cisco VPN 3000 Concentrator starts with software version 3.0 and on the PIX Firewall with software version 6.0(1). You will need to upgrade to these versions.

Similar Messages

  • How to get the traffic split up in VPN 3000 Concentrator?

    Hi,
    Requirement:
    I want to parse & analyze the Cisco VPN 3000 Concentrator logs and provide the report for the happenings using the log.
    Issue:
    I am able to get the traffic split up for Cisco Pix501 thro' it's logs for the VPN connections. But in Cisco3000VPN Concentartor, i am not able to get the traffic details for any PPTP/IPSec connections. It simply provide the overall traffic log when the seeion is closed. For example below is my traffic log,
    <189>14014 07/23/2004 19:16:24.640 SEV=4 AUTH/28 RPT=41 192.168.101.41 User [sarav] Group [Base Group] disconnected: Session Type: PPTP Duration: 0:16:37 Bytes xmt: 216 Bytes rcv: 38023 Reason: User Requested
    My Question:
    Is there any configuration/solution available to get the live traffic[traffic split up] thro' that VPN connection for Cisco3000VPN Concentartor?
    Please help me in getting this issue resolved.
    Thanks to all helping me to resolve the issue.
    Thanks.

    You get the details from the Pix logs not because of VPN functionality but because the Pix is a stateful device the manages and logs each and every session.
    The VPN 3000 is not stateful or session aware. The best you could do is provide packet level logging, but this would generate enormous log files that would need to be statistically analyzed to provide useful information.
    Your best options are to run their traffic through a Pix firewall for the session logging, use the first hop router inside the network that can provide Netflow export for analysis, or use a probe to monitor the traffic that can discern the indivdual flows. For the last two, ntop can analyze netflow of mirrored sessions to provide protocol analysis by src/dest IP, top protocols used, etc.
    -Shannon

  • PIX 506 (6.3) configuration query

    So just some background, I inherited a PIX 506 with 6.3.  I will admit my background is more towards switching/routing.  But while I know it is dinosaur, I need to maintain for partner interoperability.  I just want to confirm that what I am thinking is correct and inf not how I can correct it.
    My thought is that since the access-list command doesn't list "eq" at the end, all ports and protocols are allowed?? 
    The other thing I am not used to is that the access-list has not id/number included in the command, so I assume that access-group specifies this functionality.
    All responses are appreciated.
    Here is a snippet of the current config:
    object-group network Ext_Net
      network-object 192.168.0.0 255.255.255.255
    object-group network Int_Net
      network-object 10.0.0.0 255.255.240.0
    object-group network DNS
      network-object 192.168.0.254 255.255.255.255
      network-object 192.168.0.253 255.255.255.255
    object-group network Servers
      network-object 192.168.0.25 255.255.255.255
      network-object 192.168.0.62 255.255.255.255
      network-object 192.168.0.87 255.255.255.255
    object-group network Int_Net_ref
      network-object 192.168.0.0 255.255.255.255
    object-group service Ports tcp
      port-object range 3995 3995
      port-object range telnet telnet
      port-object range 8010 8010
      port-object range 8080 8080
      port-object eq pop3
      port-object eq imap4
      port-object eq smtp
      port-object eq 433
      port-object eq www
      port-object eq https
      port-object eq ssh
      port-object range https https
      port-object eq 9100
      port-object eq lpd
      port-object eq 584
      port-object eq 585
      port-object range 500 700 
    access-list inside_access_in permit tcp object-group Int_Net object-group Ext_Net
    access-list inside_access_in permit udp object-group Int_Net object-group DNS
    access-list inside_access_in permit tcp object-group Int_Net object-group Servers
    access-list outside_access_in permit tcp object-group Ext_Net object-group Int_Net_ref
    access-list outside_access_in permit tcp object-group Servers object-group Int_Net_ref
    access-list outside_access_in permit tcp object-group DNS object-group Int_Net_ref
    pdm location 192.168.0.254 255.255.255.255 outside
    pdm location 192.168.0.253 255.255.255.255 outside
    pdm location
    pdm group Ext_Net 255.255.255.255 outside
    pdm group Int_Net 255.255.255.255 inside
    nat (inside) 2 Int_Net 255.255.240.0 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

    Yes, if the ACL does not have an 'eq' command, all ports for that protocol will be allowed.  Not the best thing to do. 
    The access-group command applies the ACL to the interface in either the in or out direction.  These two commands in your config apply the ACL's to the ingress direction on the PIX:
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    So traffic coming ingress to the outside interface will have the outside_access_in applied to it.

  • Maximum number of local users on a Cisco VPN 3000 Concentrator

    Hi,
    Do you know if there is a specific maximum number of local users that can be created on a Cisco VPN 3000 Concentrator? If possible, we would like to know the number for the different models.
    Thanks in advance for your help!
    Harry

    Hi Harry,
    Please see table 13-1 for that information, and read Authentication Server Limits paragraph
    http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/configuration/guide/Usermgt.html#wp1685274
    Pls rate any helpful posts
    Bst Rgds
    Jorge

  • Will Nortel's Contivity VPN Client work with Cisco's VPN 3000 concentrator?

    Hi, need help. We have VPN 3000 concentrator and a number of VPN clients (these are using Cisco VPN client).
    We have one user that wants to use Nortel's Contivity VPN Client. Will this work with the Cisco COncentrator 3000?

    Tricky question - in theory yes, if the nortel client follows all the ISPEC RFC's.
    I did try to get the cisco VPN client working on a Nortel Contivity once - did not get it working - but did'nt have that much time to test and get it working.
    My advise - Configure, TEST DEBUG TEST DEBUG!

  • 3000 Concentrator CPU 100%

    I have a 3000 Concentrator that I noticed the CPU is pegged at 100% how can I find out what is causing this. I went to Monitor -> staticstics and the only thing that I can see is perhaps the NAT translation is causing this what else can I check to see what is causing the 3000 to spike at 100%?

    OK, I have been to **** and back since updating  iTunes to version 10.5.3.3. Basically it hogs 100% of your CPU. I read all the articles and forums I could find and tried out everything including Win socket resets, re-installations etc. Nothing worked. My objective is purely to get iTunes in any version format to work so I can use iTunes again.
    I am now smiling and using iTunes. This is what I did.
    SYSTEM RESTORE POINT
    As always, create a system restore point so you have something to restore to in case something goes wrong
    UNINSTALL PROPERLY
    Go to control panel, programs and uninstall the below Apple related applications
    iTunes
    Quicktime
    Apple Software Update
    Apple Mobile Support
    Bonjour
    Apple Application Support
    iPhone
    any other Apple related product you can find
    Delete or move any *.itl files (iTunes databases)
    You need to remove these as when you install an earlier version of iTunes it will not be compatible with the newer version
    Clean registry
    Run a registry cleaner. I used the free one as part of the Tweaknow Power pack
    Manual registry clean up
    Run Regedit in admin mode and search for anything Apple and iTunes.  (F3 to do next search).
    NEW INSTALL
    Go to http://www.oldapps.com/itunes.php and download iTunes 10.1 (64-bit).  I tried later versions but had the same CPU issue (not sure why as I was on the second latest iTunes version which worked find until the upgrade).
    Caviat
    The above worked for me and was done at my own risk. If you choose to try the above you do so at your own risk and I accept no responsibility and liability what so ever.
    I will not be updating iTunes again until I see an official Apple iTunes fix for this issue.

  • PIX 506 - Limited Throughput ?

    Hi
    I recently found a use for an old PIX 506 that I found in our store cupboard.
    After doing a 'show ver' I noticed that although the number of internal hosts was unrestricted, the throughout is 'limited'. The outside ethernet is registering as 10/half.
    Can anyone please tell me what the limitation is ? Is it just the difference between 10 and 100 Mbps ?
    Rgrds

    Hi,
    Concerning the last post by Vibhor which appears to be incorrect as I have a PIX 506e here which is limited to 10Mb Full
    as the below show ver indicates.
    Hardware:   PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz
    Flash E28F640J3 @ 0x300, 8MB
    BIOS Flash AM29F400B @ 0xfffd8000, 32KB
    0: ethernet0: address is 0009.7c48.c0db, irq 10
    1: ethernet1: address is 0009.7c48.c0dc, irq 11
    Licensed Features:
    Failover:           Disabled
    VPN-DES:            Enabled
    VPN-3DES:           Enabled
    Maximum Interfaces: 2
    Cut-through Proxy:  Enabled
    Guards:             Enabled
    URL-filtering:      Enabled
    Inside Hosts:       Unlimited
    Throughput:         Limited
    IKE peers:          Unlimited
    Is this a licensing limitation?
    Thanks
    DGW

  • Pix 506 E with cable modem

    Im trying to get a dhcp address from my cable modem to my pix 506 e but it fails
    "ip address outside dchp setroute"
    somebody know how to get this working?

    Try decreasing the MTU size to 1370. You can do that via the GUI.

  • URL Filtering w/ PIX 506

    A customer called me to ask about URL filtering. He bought a 506 a little over a year ago. I haven't been on site to see exactly what IOS he has, but he wants to know if he can filter certain web sites from certain PCs. Of course the answer is yes, but I need to know more about the capabilities of the 506 URL filtering capabilities. Can I create a "White list" for certain PCs in an address range and allow full access to other PCs?
    The real problem is on 3 PCs that midnight shift users like to use for porn surfing!
    If the 506 can't do the filtering, then I may just add a local piece of software on the 3 problem PCs.
    Any advice on the 506 capabilities would be appreciated.

    hi
    You can use websense in addition to PIX F/W to filter the traffic based on the URL,which is most widely deployed,but again u need to decide the cost factor involved in doing so.
    regds

  • L2l vpn between cisco pix and vpn concentrator 3030

    l2l completes phase 1 but cannot seem to complete phase 2. A portion of the debug from the Pix is attached. Anyone got any ideas?

    possible transform set mismatch on phase 2.
    in the pix, this will be the command's related to something like:
    crypto map VPN 20 set transform-set 3desSHA
    in the concentrator, it will be found on the main config page for a L2L setup under:
    Encryption and Authentication (not the IKE Proposal setting)
    or, in the concentrator
    configuration--> policy mgmt -->traffic mgmt - SA's--> find the IPSEC SA for this connection and modify

  • Cisco Pix 506 Blocks certain websites in Win 7/Vista but not XP

    We have been using a Pix 506E with Websense for many years and it has worked fine.  We recently got rid of Websense, deleted all references to it in our configuration, and now on Win 7/Vista machines, certain websites are not accessible, yet are accessible on XP machines.  When the Win 7 machine is taken off site, the websites are accessible.  How do we correct this?  If I have to post my configuration, what should not be shown?

    We have been using a Pix 506E with Websense for many years and it has worked fine.  We recently got rid of Websense, deleted all references to it in our configuration, and now on Win 7/Vista machines, certain websites are not accessible, yet are accessible on XP machines.  When the Win 7 machine is taken off site, the websites are accessible.  How do we correct this?  If I have to post my configuration, what should not be shown?

  • VPN 3000 Concentrator

    Does anyone know where I can find the meaning of this message?
    465 10/28/2008 14:48:06.640 SEV=4 IKEDBG/97 RPT=410 208.96.196.242
    Group [208.96.196.242]
    QM FSM error (P2 struct &0x6810ef4, mess id 0xeb16b91f)!
    466 10/28/2008 14:48:06.640 SEV=7 IKEDBG/65 RPT=39116 208.96.196.242
    Group [208.96.196.242]
    IKE QM Initiator FSM error history (struct &0x6810ef4)
    <state>, <event>:
    QM_DONE, EV_ERROR
    QM_WAIT_MSG2, EV_TIMEOUT
    QM_WAIT_MSG2, NullEvent
    QM_SND_MSG1, EV_SND_MSG

    Hi,
    QM FSM Error
    The IPsec L2L VPN tunnel does not come up on the PIX firewall or ASA, and the QM FSM error message appears.
    One possible reason is the proxy identities, such as interesting traffic, Access Control List (ACL) or crypto ACL, do not match on both the ends. Check the configuration on both the devices, and make sure that the crypto ACLs match.
    http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml#qms
    Regards,
    Arul
    *Pls rate if it helps*

  • Need to track unused VPN user accounts on a 3000 concentrator

    We have an old VPN Concentrator that has a 100 user max limit. We are at capacity and need to find a way to generate a report of unused or outdated user/groups. Can anyone offer a suggestion?

    The computer already keeps a log when each user is on and off. Using Terminal, after the window opens type the word
       last  
    then hit return. You'll see an login time and logout time plus the total time used in parenthesis.

  • PIX 506 Config

    Hello;
    I would like to edit the config to open up a FTP port, but need to know the exact steps/procedures.
    1.) I can remote in via the LAN with Hyperterm.
    2.) Can probably use a system to console in if necessary.
    Here's part of the config for the ACL I would like to update:
    access-list outside_in permit tcp any host <public IP> eq www
    access-list outside_in permit tcp any host <public IP> eq https
    Would this be the correct access list entry for ftp to this system?
    access-list outside_in permit tcp any host <public IP> eq ftp
    I just need to know:
    1.) Once I remote in, can I somehow place this acl line right below the https one?
    2.) Can I use a TFTP program and move a text file config onto the PIX?
    3.) If I need to revert back or erase the line, would I just type:
    no access-list outside_in permit tcp any host <public IP> eq ftp
    Thanks, Steve

    That's correct:
    access-list outside_in permit tcp any host eq ftp
    To insert it you can do:
    access-list outside_in line 3 permit tcp any host eq ftp
    The "line 3" will insert ABOVE the existing line 3. It will make the current line 3, line 4.
    You can use tftp by using write net.
    And to remote your line, you do exactly like you have it.
    Don't forget your statics though.
    static (inside, outside) netmask 255.255.255.255
    clear xlate
    --John

  • PIX 506 vs. 1812?

    I have the following situation:
    1 secure employee network (no Internet Connection, only terminal sessions to OPEN
    network)
    1 open employee network (with Internet Connection)
    1 guest WLAN (Internet Connection ONLY - no local access)
    I've been recommended to use either a PIX 506E or a 1812 router.
    Which is the better for this task?
    Approx. 30 users and 10Mbps WAN connection, secure/open network placed in separate VLANs on Catalyst 2950.

    PIX 506E should be best suitable for the task. check out the following link for information on configuring PIX 506E :
    http://www.cisco.com/application/pdf/en/us/guest/products/ps2030/c1616/ccmigration_09186a0080177097.pdf

Maybe you are looking for

  • My phone says i have no storage but i deleted all my apps

    Please read this whole thing to help me: I have had this problem for a while so whoever helps me i will be so happppy with them! When i go to re download a video that i purchased or an app or to take a video or picture a box pops up saying that i don

  • My Facetime HD Will not work. It is present in the USB drive, but isn't recognized in any of my applications.

    I have a 13inch, late 2011 Macbook Pro. It has a Os x Lion 10.7.4 as its' software. The camera was woking fine when I got it, and then one day it just stopped working. I have no idea why. I checked in system information to make sure it was present in

  • Batch Info in PO

    Hi All, I have created a Purchase order with batch no.. For developing one report I need to know the link between batch and PO no. However EKPO / MCHB table do not have this link . How can I find out this link betwwen PO and Batch no.. I have not cre

  • Software 5.0.0.681 can not add unnamed SMS sender to contacts

    Hi all I love my blackberry but have just downloaded new software and am very frustrated as the "add to contacts" option when you receive a text message from an unknown number has gone.  PLEASE can somebody tell me how to add a new person to contacts

  • Sesion timeout unexpectly with REST Identity Interface

    Hi I am using OpenSSO REST Identity Interface for authentication and authorization. The issue I have is unexpected session timeout. For example, I used REST URL to authenticate a user, then I used the returned token.id to check OpenSSO for authorizat