VPN Clients to ASA Lose connection in less than 5 minutes

Unanswered Question
May 17th, 2007

I'm trying to locate a problem where Cisco VPN Client (I'm using v4.6) disconnects from an ASA v7.0 in less than 10 minutes if there is no activity. It stays up fine if there is network activity. This is a new install and so far everyone experiences the problem.

I've set vpn-idle-timeout and vpn-session-timeout under the group policy, but that has no effect.

Where else can I look?

tia

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ggilbert Fri, 05/18/2007 - 02:36

Brendon,

First you need to find out, if it is really disconnecting due to Idle time. If so, where is it getting idle time from.

You can run the following debugs on the ASA.

deb cry isa 190

deb cry ipsec 190

Then on the client side, go to the log settings, and then change everything to High (1-3). Enable the logs.

Now connect the client, let it sit there for 10 minutes and then collect the logs from the client and the debugs messages from the ASA.

Post those two and I will take a look at it.

Cheers,

Gilbert

ggilbert Tue, 05/22/2007 - 00:51

Excellent.

After the tunnel is created Dead Peer Detection (DPD) messages are sent to the client side to verify if the peer is alive.

Taking a look at the logs on the ASA side, during this time May 21 07:00:43 [IKEv1], the tunnel got established.

After that, we sent DPD messages to the client but the client never receives it.

May 21 07:05:48 [IKEv1]: IP = 5.9.246.162, IKE_DECODE SENDING Message (msgid=be5432bd) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

May 21 07:05:50 [IKEv1 DEBUG]: Group = remotevpn, Username = user1, IP = 5.9.246.162, Sending keep-alive of type DPD R-U-THERE (seq number 0x1e2d6442)

ASA keeps sending 3 DPD messages to see if the client is there but the client doesn't respond.

So, the ASA tears down the tunnel.

Looking at the logs on the client side, I see the same thing. The client sends DPD messages but the ASA doesnt receive them, so - the tunnel gets terminated. After about 6 minutes or so.

Solutions:

a. You can either disable DPD keepalive messages on the ASA

b. You can put a sniffer trace in front of the ASA or in front of the client to see if we are sending DPD messages on the wire. Once we know that its out of the wire, then you can check the next hop to see where it is getting dropped or blocked.

I believe you are using IPSec over UDP, so it would UDP 500 packets that should be seen on the wire, unless you are doing NAT-T in which case it would UDP 4500.

Hope this helps in narrowing down the problem.

Rate it, if it helps.

Cheers

Gilbert

bbrendon Thu, 05/24/2007 - 16:22

As another poster suggested ... I made sure Stateful firewall on the VPN client software was unchecked and added " client-firewall none" under "group-policy remotevpn attributes" to the ASA. No change.

I've been looking through google and the asa to find where to change DPD settings but I only found it for the SSL vpn, can you steer me in the right direction?

tia

Actions

This Discussion