pix515e vpn site-to-site resetting tunnel

dewo · 01-16-2008, 06:50 PM

hi all,
i have setup vpn site-to-site between head and branch office. the tunnel created is good. user on branch can access apps server on head office. but sometimes they complain, when they access oracle apps they keep getting message 'server interruption' and they have to re-login. my question is does this problem because there is somekind of buffer inside pix full?
both side using same pix:
Cisco PIX Firewall Version 6.3(1)
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Interfaces: 6
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited

UR License

here is result of debug cry isakmp: ISADB: reaper checking SA 0xff7cfc, conn_id = 0

rgds,
-dewo-

**Cellus** · 01-20-2008, 08:45 AM

Have there been any drops or losses over the tunnel while using other apps other than Oracle?

There "shouldn't" be any problems like that, in the case of overloading PIX (especially if you have failover), unless you are using the appliance beyond its design limits.

It's possible that Oracle isn't being very lenient in terms of timeout, in which case you may wish to reconfigure it with longer timeouts.

dewo · 01-20-2008, 06:58 PM

Usually when oracle apps being dropped, other application like outlook, terminal service are either getting slower or dropped also.
I have googling anywhere to find relevant issue but see none. What i'm doing now is clear xlate table or power cycle the pix box.
we have submit this problem to oracle metalink.

-dewo-

**Cellus** · 01-22-2008, 04:32 PM

It is possible that you are over-extending your WAN link. When the slowdowns/drop-outs occur, take a look at the WAN link's throughput and see if you are approaching or near its upper limit.

What do you use for your WAN link. Do you have a guaranteed rate for it?

dewo · 01-23-2008, 12:22 AM

Actually i'm using ip vpn and i am not on WAN link. the vpn tunnel create over internet. i saw when the connection is dropped/slowed, my internet b/w seems to be exhausted. but that's not it, even in the morning when not many users were accessing the internet, oracle/mail get dropped for remote users.
FYI, i'm in indonesia (HQ) and my remote site is in Singapore. We are using similar device and topology, the difference is we have vlans (HQ) and i think it doesnt matter. both sites have own internet access.
i simply implement what cisco called site-to-site vpn config

MSilverman · 10-15-2008, 01:25 PM

Dewo,

Because you are using an IP tunnel over the Internet technically you have extended your LAN to include a remote site which qualifies as a WAN connection. In any case Cellus is on the right track I think because that is what happened to us a couple of years back with our PIX 515e device.

We were seeing Citrix sessions dropping or users complaining it was real slow, SSH connections would connect but not present the login prompt through the NAT, etc... we checked the Internet line and lo and behold it was pegged at it's 15 mb/s cap so we upped it and as soon as we did that everythign returned to normal operation.

PDM was the tool that showed this to us. Simply installed it into the PIX and the graph showed us without any hesitation where the issue lay.

Mike.

01-16-2008, 06:50 PM	#1 (permalink)
dewo Registered User Join Date: Jan 2008 Posts: 3 OS: winxpsp2	pix515e vpn site-to-site resetting tunnel hi all, i have setup vpn site-to-site between head and branch office. the tunnel created is good. user on branch can access apps server on head office. but sometimes they complain, when they access oracle apps they keep getting message 'server interruption' and they have to re-login. my question is does this problem because there is somekind of buffer inside pix full? both side using same pix: Cisco PIX Firewall Version 6.3(1) Licensed Features: Failover: Enabled VPN-DES: Enabled VPN-3DES-AES: Enabled Maximum Interfaces: 6 Cut-through Proxy: Enabled Guards: Enabled URL-filtering: Enabled Inside Hosts: Unlimited Throughput: Unlimited IKE peers: Unlimited UR License here is result of debug cry isakmp: ISADB: reaper checking SA 0xff7cfc, conn_id = 0 rgds, -dewo-

01-20-2008, 08:45 AM	#2 (permalink)
Cellus Moderator Networking Team Join Date: Aug 2006 Location: Canada Posts: 2,664 OS: Windows Vista Business SP1, Windows XP Professional SP3 My System	Re: pix515e vpn site-to-site resetting tunnel Have there been any drops or losses over the tunnel while using other apps other than Oracle? There "shouldn't" be any problems like that, in the case of overloading PIX (especially if you have failover), unless you are using the appliance beyond its design limits. It's possible that Oracle isn't being very lenient in terms of timeout, in which case you may wish to reconfigure it with longer timeouts. __________________ TSF Networking Team Virus/Trojan/Spyware Removal Help Donate!

01-20-2008, 06:58 PM	#3 (permalink)
dewo Registered User Join Date: Jan 2008 Posts: 3 OS: winxpsp2	Re: pix515e vpn site-to-site resetting tunnel Usually when oracle apps being dropped, other application like outlook, terminal service are either getting slower or dropped also. I have googling anywhere to find relevant issue but see none. What i'm doing now is clear xlate table or power cycle the pix box. we have submit this problem to oracle metalink. -dewo-

01-22-2008, 04:32 PM	#4 (permalink)
Cellus Moderator Networking Team Join Date: Aug 2006 Location: Canada Posts: 2,664 OS: Windows Vista Business SP1, Windows XP Professional SP3 My System	Re: pix515e vpn site-to-site resetting tunnel It is possible that you are over-extending your WAN link. When the slowdowns/drop-outs occur, take a look at the WAN link's throughput and see if you are approaching or near its upper limit. What do you use for your WAN link. Do you have a guaranteed rate for it? __________________ TSF Networking Team Virus/Trojan/Spyware Removal Help Donate!

01-23-2008, 12:22 AM	#5 (permalink)
dewo Registered User Join Date: Jan 2008 Posts: 3 OS: winxpsp2	Re: pix515e vpn site-to-site resetting tunnel Actually i'm using ip vpn and i am not on WAN link. the vpn tunnel create over internet. i saw when the connection is dropped/slowed, my internet b/w seems to be exhausted. but that's not it, even in the morning when not many users were accessing the internet, oracle/mail get dropped for remote users. FYI, i'm in indonesia (HQ) and my remote site is in Singapore. We are using similar device and topology, the difference is we have vlans (HQ) and i think it doesnt matter. both sites have own internet access. i simply implement what cisco called site-to-site vpn config

10-15-2008, 01:25 PM	#6 (permalink)
MSilverman Registered User Join Date: Oct 2008 Posts: 1 OS: Windows XP	Re: pix515e vpn site-to-site resetting tunnel Dewo, Because you are using an IP tunnel over the Internet technically you have extended your LAN to include a remote site which qualifies as a WAN connection. In any case Cellus is on the right track I think because that is what happened to us a couple of years back with our PIX 515e device. We were seeing Citrix sessions dropping or users complaining it was real slow, SSH connections would connect but not present the login prompt through the NAT, etc... we checked the Internet line and lo and behold it was pegged at it's 15 mb/s cap so we upped it and as soon as we did that everythign returned to normal operation. PDM was the tool that showed this to us. Simply installed it into the PIX and the graph showed us without any hesitation where the issue lay. Mike.