Welcome to ISAserver.org

Site to Site connectivity Timeouts - ISA <--> Cisco ASA

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Firewall] >> VPN >> Site to Site connectivity Timeouts - ISA <--> Cisco ASA

Page: [1]

Message

<< Older Topic Newer Topic >>

Site to Site connectivity Timeouts - ISA <--> Cis... - 24.Jul.2007 1:16:24 PM

qzammit

Posts: 13
Joined: 25.Aug.2006
Status: offline

Hi,

We have set-up a site-to-site connectivity between an ISA 2006 Std and a Cisco ASA 5520 appliciance. The VPN connection is established but after a few minutes we are having timeouts, i.e. the connection is dropped for a few seconds and then reconnected.

The configuration on both appliances is as follows:-
- We are using a pre-shared key
Phase1
- Authenticate and regenerate a new key every 28800secs
- Encyption - 3DES
- Integrity - SHA1
- DH group - Group2
Phase2
Encryption - 3DES
Integrity - SHA1
Generate a new key every 100Mb
Use PFS ON

Can someone advise why we are having disconnections? Internet connectivity seems to be fine. Your help will be highly appreciated.

Note: The ISA FW where the VPN connection is terminated is behing a cisco ASA5510 and a Cisco router.

Regards,
qzammit

Post #: 1

Featured Links*

RE: Site to Site connectivity Timeouts - ISA <-->... - 24.Jul.2007 2:43:41 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi qzammit,

is ISA 2006 SE already running on Windows 2003 SP2? It should! However, be aware of ISA Server and Windows Server 2003 Service Pack 2.

HTH,
Stefaan

(in reply to qzammit)

Post #: 2

RE: Site to Site connectivity Timeouts - ISA <-->... - 26.Jul.2007 3:12:59 AM

qzammit

Posts: 13
Joined: 25.Aug.2006
Status: offline

Hi,

ISA 2006 SE is still running on Win2003 SP1. Do you think that upgrading to SP1 will help solve our problems?

I am more suspecting it is a problem between the PIX and the ISA and besides the VPN traffic is passing through another ASA appliance.

Regards,
qzammit

(in reply to spouseele)

Post #: 3

RE: Site to Site connectivity Timeouts - ISA <-->... - 26.Jul.2007 2:25:19 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi qzammit,

I know for sure there are some important IPsec updates in Win2003 SP2. Therefore I strongly advice to first perform the update. It makes no sense to put any effort in "old" stuff.

HTH,
Stefaan

(in reply to qzammit)

Post #: 4

RE: Site to Site connectivity Timeouts - ISA <-->... - 7.Aug.2007 9:07:50 AM

p057080n

Posts: 26
Joined: 7.Jun.2007
Status: offline

The link that you posted in your previous reply has many users commenting that the update was fairly disasterous for ISA.

I am having somewhat similar issues as the OP has been having, should I have anything to worry about if I do apply the SP2 update?

(in reply to spouseele)

Post #: 5

RE: Site to Site connectivity Timeouts - ISA <-->... - 7.Aug.2007 2:24:51 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Dan,

we have updated multiple ISA 2006 SE servers to Windows 2003 SP2 and apart from disabling Receive Side Scaling and TCP Offload Support as mentioned on the ISA team blog and in the KB article http://support.microsoft.com/kb/936594, we have not done anything special.

HTH,
Stefaan

< Message edited by spouseele -- 7.Aug.2007 2:26:30 PM >

(in reply to p057080n)

Post #: 6