Tunnel dropping connection

Unanswered Question
Feb 27th, 2007

I have two networks currently. Network A & B. Network A is a remote location where users connect to B through VPN. Once they establish a tunnel they rdp a terminal server. On this terminal server there are several printers installed. These printers actually live on Network A and are connected to B by a 3002 hardware vpn client. So, a recap, the users vpn in to B and print to printers located on site A. B has a 10.1.1.x network and the printers network is a 10.2.2.x. I added persistent routes on the terminal server so that traffic routes. I know this is a cludgy setup and you are probably asking me why don't we just use split tunneling. GOVT. system so I can't. In any event, this setup works, however, anytime the terminal server reboots are the hardware client loses power the tunnel doesn't fully re-establish. I can see the HW client connected from the concentrator but there is no traffic passsing and I can no longer ping the printers network from the terminal server. Here is where it gets interesting! If I initiate a ping from a printer from site A to the terminal server the pings are answered and I can connect again! It is the weirdest thing! I have all the lastest software. Anyone else experience this??? I know it's unlikely because of the silly arrangement I have on my network but any help would be great. Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
kaachary Sun, 03/04/2007 - 05:08


This is the default behaviour of EzVPN PAT mode. The traffic has to be initiated from Site A (HW Client), to get IPSec SA built. Once, the SA are built, the traffic will flow bidirectionally.

*Please rate if helped.


robertacree Mon, 03/05/2007 - 05:38

We are running in Network extension mode, not PAT. Any other suggestions?

Kamal Malhotra Mon, 03/05/2007 - 09:51

Hi Robert,

It is the default behaviour not only for PAT mode but for EzVPN altogether. So, the traffic has to be initiated from the client's end so that the IPSEC SA can be built and once it is built, it can be bidirectional.



laurent.geyer Wed, 03/07/2007 - 12:46

The problem he describes sounds an awful lot like a problem I have run into with a site-to-site VPN connection that drops the tunnel periodically with no rhyme or reason.

The ASA in question is running 7.2.2 and terminates tunnels with two peers.

cgleaves Wed, 03/14/2007 - 12:43

I was running a PIX 501 tunnel using NEM to my asa 5520 and found that if the network connection was cut in-between then the ASA would not tear down the existing connection (even with keep alives on). I removed the NEM and it was perfect. Just my experience with it.



This Discussion