我的VPN结构是:LAN1---PIX---INTERNET--PIX-LAN2问题是:我们的应用软件通过VPN建立连接后,30分钟左右就要断掉;这是能PING通,但是应用程序无法再连接,只有重新启动PC,才能再连接应用程序.不知道什么原因,请指教!
是不是 timeout conn 设置的问题?我不知道怎么解决? 同时,也请各位高手指导.
UP!1. post configuration2. setup syslog server, post the log at the time the connection is dropping
3. timeout conn may cause the problem, but default is not 30 min, also you are using VPN, i do not think it is the problem.
4. one more thing, sh ver
5. check the log on application server.
PIX Version 6.3(3)interface ethernet0 auto
nat (inside) 0 access-list 110
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 112 in interface outside
route outside 0.0.0.0 0.0.0.0 10.174.149.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map fxvpn 10 ipsec-isakmp
crypto map fxvpn 10 match address 110
crypto map fxvpn 10 set peer 10.169.131.68
crypto map fxvpn 10 set transform-set myset
crypto map fxvpn interface outside
isakmp enable outside
isakmp key ******** address 10.169.131.68 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 192.168.1.0 255.255.255.0 outside
telnet 192.168.0.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:d24fcef7501e55474a8dc7f4eabaad8d
: end
base on the part that you post here, it is NOT the problem on PIX.check #2 and #5 that i asked earlier first.
if you can capture the packets also helpful.
谢谢,我试试吧,有结果我告诉你.还是想请教你,timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
这句表示什么意思,能解释一下吗?
可惜,老头子他休息了,真遗憾!tcp session: 1:00:00 === 1 hour, within 1 hour, got to have conversation, otherwise, timeouttcp half-closed, (send syn, wait for syn-ack) 10 min timeout
udp, within 2 min, allow return traffic back in .....