David,
Have you got a Syslog server where you can check the errors appearing, then
send them to Cisco or who ever is your CISCO support, looking at the logs
it should give a good indication onto why you clients a droping the VPN,
maybee they need another client as well ?
Regards,
Cesar
"David Gillett"
<[EMAIL PROTECTED] To: "'stephen at unix
dot za dot net'"
da.edu> <[EMAIL PROTECTED]>
cc:
<[EMAIL PROTECTED]>
12/08/2003 02:07 Subject: RE: Cisco
Workaround
Please respond
to gillettdavid
Whether your VPN users need GRE or ESP+AH will depend on what
particular VPN technology they use. (In our case, some users need
one and some the other, but that's probably not typical.)
David Gillett
> -----Original Message-----
> From: stephen at unix dot za dot net [mailto:[EMAIL PROTECTED]
> Sent: August 10, 2003 23:27
> To: David Gillett
> Cc: 'Douglas Gullett'; 'Adam Overlin';
> [EMAIL PROTECTED]
> Subject: RE: Cisco Workaround
>
>
>
> hi guys,
>
> all the posts i've seen replying to this guy's problem don't included
> references to needing GRE (proto 47).
>
> it is needed for VPN connectivity, who are we all just
> assuming everyone
> knows this? (even though there's no mention of it)
>
>
> stephen
>
>
>
> On Mon, 4 Aug 2003, David Gillett wrote:
>
> > ESP is protocol 50 and AH is 51. Neither opening 52 nor
> > leaving 50 closed is likely to help.
> >
> > David Gillett
> >
> > > -----Original Message-----
> > > From: Douglas Gullett [mailto:[EMAIL PROTECTED]
> > > Sent: August 2, 2003 08:49
> > > To: Adam Overlin; [EMAIL PROTECTED]
> > > Subject: RE: Cisco Workaround
> > >
> > >
> > > Adam,
> > >
> > > If the "cheat" sheet you are referring to is the Cisco
> > > Security Alert, I am
> > > guessing that you put in their access-list. For IPSEC you
> > > need to have
> > > Protocol Port 51 (ESP) and Protocol Port 52 (AH) open, as
> > > well as UDP Port
> > > 500 (isakmp).
> > >
> > > Doug
> > >
> > > -----Original Message-----
> > > From: Adam Overlin [mailto:[EMAIL PROTECTED]
> > > Sent: Thursday, July 31, 2003 12:59 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: Cisco Workaround
> > >
> > >
> > > I just joined this list so I haven't seen the whole thread on
> > > this issue,
> > > thus my company's particular issue may have been discussed
> > > already, but I
> > > thought I would see if I could get some help anyway.
> > >
> > > Background:
> > > We have a Cisco 827 router and a PIX 506e locally. Router
> > > being in front of
> > > the PIX. We also have a co-location facility that we are
> > > connected via a
> > > constant VPN tunnel. There we have a PIX 515e. The two
> > > pixes are what
> > > control the VPN/encryption.
> > >
> > > Issue:
> > > The pixes don't run IOS so we didn't have to worry about
> > > upgrading those.
> > > However, the router does. So we upgraded the router to the
> > > latest version.
> > > Everything worked ok, except, the VPN tunnel. That got
> > > knocked out. Keep
> > > in mind that I am no Cisco expert. I did the upgrade with
> > > the help of a
> > > *cheat* sheet that Cisco sent us. All I did was copy the
> > > information. I
> > > didn't really understand what I was actually typing into the
> > > console (we
> > > have another network consultant that is responsible for the
> > > "understanding
> > > part, although he didn't know why it wasn't working either). :)
> > >
> > > So after a little messing around we reverted back to the
> old IOS and
> > > everything was peachy. A couple days later they sent us
> > > another version to
> > > upgrade with and that did the same thing. Needless to say,
> > > we are still
> > > upgradeless.
> > >
> > > If there are any suggestions out there, I would really
> > > appreciate it. If I
> > > didn't give enough info, please let me know, and I will get
> > > you whatever you
> > > need (within my power of course).
> > >
> > > Thanks in advance,
> > > Adam
> > >
> > >
> > > --------------------------------------------------------------
> > > -------------
> > > --------------------------------------------------------------
> > > --------------
> > >
> > >
> > > --------------------------------------------------------------
> > > -------------
> > > --------------------------------------------------------------
> > > --------------
> > >
> >
> >
> --------------------------------------------------------------
> -------------
> >
> --------------------------------------------------------------
> --------------
> >
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
---------------------------------------------------------------------------
----------------------------------------------------------------------------
