Questions[cisco-pix](server)

We have two sites, a large Southern site and a small Northern site, that have a VPN between them defined on two Cisco PIX Firewalls. Over this VPN Shoretel IP phone traffic travels as well as all other network traffic. We recently switched the smaller Northern office to Bt Infinity (fiber) and all systems worked perfectly, that is, they worked perfectly until last week. Note, nothing change on that day.

Traffic coming down the VPN from Manchester works on all fronts, apart from for the telephone system. Our tame telephone engineers from Shoretel tell us this is all due to the telephone system packets having the DF (do not fragment) bit switched on on their traffic and a required payload of 1472, and with the IPSec overhead, 1472 will not fit down the lines MTU.

If I do a ping MTU test from our Southern office to our Northern office I get the following:

C:\>ping <NorthernOfficeServerIP> -f -l 1472

Pinging <NorthernOfficeServerIP> with 1472 bytes of data:
Reply from <OutsideInterfaceOfSourthernPixIP>: Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

The VPN setup on the PIX is as follows:

sysopt connection permit-ipsec
crypto ipsec transform-set chevelle esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer <Peer IP> 
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address <Peer IP> netmask 255.255.255.0
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400

The first thing I tried on the PIX was to get it to clear the DF flag on the packets as below:

pix(config)# crypto ipsec df-bit clear-df outside

Unfortunately, this just gives:

ERROR: unrecognized usage: [no] crypto ipsec { transform-set | security-association} ... Type help or '?' for a list of available commands.

But then our PIX firmware is quite venerable, the show ver gives me:

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)

Compiled on Thu 04-Aug-05 21:40 by morlee

chathampix up 14 hours 54 mins

Hardware:   PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz
Flash E28F640J3 @ 0x300, 8MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

I have tried altering the MTU size on the PIX, I've had the Outside interface at 1500, 1492 (8 bytes for PPP) and BTs recommendation of 1458 to try and mitigate the problem. The 56 byte overhead of the VPN means that the packets with the DF bit set at 1472 bytes will always be dropped by the VPN.

Does anyone know the equivalent command for "pix(config)# crypto ipsec df-bit clear-df outside" for a PIX with this firmware? Or do you have any other ideas??

UPDATE:

The show crypto ipsec sa for the Northern PIX is below:

interface: outside
    Crypto map tag: transam, local addr. <NorthernOutsideInterfaceIP>

   local  ident (addr/mask/prot/port): (192.168.16.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer: <SouthernOutsideInterfaceIP>:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 107592, #pkts encrypt: 107592, #pkts digest 107592
    #pkts decaps: 114302, #pkts decrypt: 114302, #pkts verify 114302
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 8, #recv errors 0

     local crypto endpt.: <NorthernOutsideInterfaceIP>, remote crypto endpt.: <SouthernOutsideInterfaceIP>
     path mtu 1492, ipsec overhead 56, media mtu 1492
     current outbound spi: 4ada0b77

     inbound esp sas:
      spi: 0xe7c2815(243017749)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 1, crypto map: transam
        sa timing: remaining key lifetime (k/sec): (4516828/21982)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x4ada0b77(1255803767)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2, crypto map: transam
        sa timing: remaining key lifetime (k/sec): (4598687/21980)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:

And the MTU for the Southern PIX and Northern PIX is:

mtu outside 1500
mtu inside 1500

The MTU is automatically set less the 8 bytes for PPP by the PIX I believe.

We use Cisco ASA for our IPSEC VPNs, using the EZVPN method. From time to time we encounter problems where an ISP has made a change to their network and our VPN stops working. Nine times out of ten the ISP denies that their change could have stopped this working - I suspect because they don't understand exactly what might have caused the problem. Rather than just bashing heads with them I want to try and point them in a direction that might get a speedier resolution.

In my current incident, I can ssh onto the external interface of the ASA and do a little poking around:

 sh crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: {Public IP address of London ASA}
    Type    : user            Role    : initiator
    Rekey   : no              State   : AM_TM_INIT_XAUTH_V6C

At the other end of the link I see the following:

Active SA: 26
<snip>
25  IKE Peer: {public IP address of Port-Au-Prince-ASA}
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_TM_INIT_MODECFG_V6H

I can't find any documentation for what AM_TM_INIT_XAUTH_V6C or AM_TM_INIT_MODECFG_V6H, but I'm pretty sure it means that the IKE handshake has failed for some reason.

Can anyone suggest any likely things that might be preventing IKE from succeeding, or specific details of what AM_TM_INIT_XAUTH_V6C means?

Update: We connected the ASA at the site of a customer of another ISP. The VPN connection came up immediately. This confirms that the problem is not configuration related. The ISP is now accepting responsibility and investigating further.

Update: The connection suddenly came back online last week. I have notified the ISP to see if they changed anything, but not heard back yet. Frustratingly I am now seeing a similar issue on another site. I found a Cisco doc on the effects of fragmentation on VPN. I am starting to think that this may be the cause of the issues I am seeing.

Are there any nice options for using the PDM on an old Cisco Pix 501 or 506e with modern computers/browsers? I have an old 501 at a remote site and only have https access to it from my location. I can make the changes via command line, but due to the restricted access, need to use the web interface. Unfortunately, the Java console gives an ugly error before the PDM starts. I've tried this with all of the systems and browsers that I have on hand.

Here's the output from a Windows XP workstation:

Webpage error details

User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Timestamp: Thu, 12 May 2011 21:34:02 UTC


Message: Object doesn't support this property or method
Line: 30
Char: 9
Code: 0
URI: https://xxx.xxx.yyy.yyy/pdm.html

In general, are there any tricks for dealing with these non-upgradeable Cisco devices? At least the 515e units and above could take the ASA software. Is the resolution just to keep an old PC or Java instance available for the one-off old firewall?

I've followed the instructions to configure a VPN between a netscreen device and a Cisco PIX as directed by Cisco's [netscreen to PIX VPN]http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801c4445.shtml article.

The only differences are that I'm running PIX 6.3(5) and Juniper Netscreen 6.1.0r2.0 (Firewall+VPN). I followed both configurations exactly, and when I try to connect, the Juniper returns with:

2010-02-21 12:54:28  information IKE: Removed Phase 2 SAs after receiving a notification message. 
2010-02-21 12:54:28  information IKE pix_public_IP: Received a notification message for DOI 1 14 NO-PROPOSAL-CHOSEN. 
2010-02-21 12:54:28  information IKE pix_public_IP Phase 2: Initiated negotiations. 

On the Netscreen, I've created a Phase 2 Proposal called ToCorpOffice using DH Group#2, 3DES-CBC, and SHA-1, and when configuring the AutoKey IKE, I chose ToCorpOffice and removed all other transforms. I believe I've configured the same on the PIX with:

sysopt connection permit-ipsec
crypto ipsec transform-set mytrans esp-3des esp-sha-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address nonat
crypto map mymap 10 set pfs group2
crypto map mymap 10 set peer netscreen_public_ip
crypto map mymap 10 set transform-set mytrans
crypto map mymap interface outside

Saved that and rebooted, so here's the cryptomap info: PIX-FW1# show crypto map

Crypto Map: "mymap" interfaces: { outside }

Crypto Map "mymap" 10 ipsec-isakmp
    Peer = netscreen_public_ip
    access-list nonat; 1 elements
    access-list nonat line 1 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 (hitcnt=0)
    Current peer: netscreen_public_ip
    Security association lifetime: 4608000 kilobytes/28800 seconds
    PFS (Y/N): Y
    DH group:  group2
    Transform sets={ mytrans, }
PIX-FW1#

Any idea why I'm getting a NO-PROPOSAL-CHOSEN error?

I'm just starting some Cisco training and I would like to know if there are any freely available simulators available.