PIX 515 drops ongoing VPN sessions

PIX 515 drops ongoing VPN sessions: Posted by Nicklas on November 24th, 2003; Hi,

I have a rather mysterious issue with our corporate Cisco Pix 515
Firewalls (one running primary, the other failover).

IOS= 6.2.3

None of the Firewalls qualify for the known bugs at Cisco.

Now, the firewall is mainly used for VPN sessions that are
site-to-site over Internet. On the other side of the VPN session,
you'll find a Cisco Pix 501. The VPN sessions are basic, and use DES
encryption. The setup is straightforward and works
great...except......

From "time-to-time" the firewall drops a number of ongoing VPN
sessions. At the most I'd say that the firewall handles about 95 VPN
sessions. I've managed to export data from PDM, which cleary proves
that it does indeed drop about 30% of the VPN sessions at any given
time, see the data extract below:

Date, Time, Number of VPN sessions:
2003-11-24 11:50:07,90
2003-11-24 12:02:07,89
2003-11-24 12:14:07,90
2003-11-24 12:26:07,88
2003-11-24 12:38:07,87
2003-11-24 12:50:07,90
2003-11-24 13:02:07,66 <----here
2003-11-24 13:14:07,77
2003-11-24 13:26:07,81
2003-11-24 13:38:07,82
2003-11-24 13:50:07,86
2003-11-24 14:02:07,89
2003-11-24 14:14:07,91
2003-11-24 14:26:07,92
2003-11-24 14:38:07,92
2003-11-24 14:50:07,91
2003-11-24 15:02:07,90
2003-11-24 15:14:07,64 <---- here
2003-11-24 15:26:07,77
2003-11-24 15:38:07,81
2003-11-24 15:50:07,83
2003-11-24 16:02:07,82
2003-11-24 16:14:07,83

After each "drop" the end user experiences a time-out of about 5-10
minutes, and during this period his Internet Connection, mainly DSL
works fine. After the given timeout the end user re-connects, and the
session is up and running.

I haven't pin pointed the actual reason for the sudden drop of VPN
sessions, but my guess is that the reason resides on our Firewall. The
whole failover setup works, and both the firewalls have the exact same
config.

Has anyone even heard of anything like my problem? If so I'm very
curious to find out if there's any tweak to solve the isse....

I've averaged the overall bandwidth of the corporate firewall, and it
peaks about 2 mbps (we have 10)

The CPU/Memory runs at about 20-30% with occasional peaks.

Any input is very much appreciated.

Regards,

Nicklas

Similar Posts

Ongoing IE Script errors (Networking) by A3
log RDP Sessions (Working Remotely) by cdoc
SP2 update caused ongoing issues (Help and Support) by Sheila Hoffman
Ongoing Bios Password Problem for Sony Vaio FX Series (Computers & Technology) by Treb
(O.T.) Ongoing amazement. (Software & Applications) by John Corliss