vpn drops for some clients

Unanswered Question
Jun 10th, 2007
User Badges:

Hi, i am trying to deploy site-to-site vpn from remote site to central location. It seems that after some period of inactivity users experience some kind of connection timeout. ( Users send some heavy processing querry to SQL server,and after for example 10 minutes of processing they lose connection?Other "non timed out users" work fine at that time.) When that happens vpn is still up.And time-outed users can again connect to server.

Here is the part of configuration related to VPN

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

crypto isakmp key xxxx address xxx.xxx.xxx.xxx

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10 periodic

crypto isakmp nat keepalive 5


crypto ipsec security-association lifetime seconds 28800


crypto ipsec transform-set strong esp-3des esp-md5-hmac


crypto map vpn-crosig 100 ipsec-isakmp

set peer 213.x.x.148

set transform-set strong

match address vpn-crosig

reverse-route remote-peer





interface FastEthernet0

description >>Prema VM mrezi<<

ip address xxx.xxx.xxx.xxx

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

priority-group 1

no cdp enable

crypto map vpn-crosig


tion hdlc



interface FastEthernet2

switchport access vlan 100

no cdp enable


interface Vlan100

description >>Prema LAN<<

ip address

ip access-group 154 in

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1400

no snmp trap link-status

priority-group 1



ip default-gateway 80.x.x.209

ip route 0.0.0.x.x.173.209


ip nat pool vpn prefix-length 28

ip nat inside source route-map internet interface FastEthernet0 overload

ip nat inside source route-map vpn pool vpn

ip access-list extended internet

deny ip

permit ip any

ip access-list extended vpn

permit ip

ip access-list extended vpn-crosig

permit ip

At the central site i am using VPN 3000 series concentrator. And the clients are trying to connect to at central.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jaffer_sathik2010 Tue, 06/12/2007 - 04:32
User Badges:


Are you sure that VPN disconnects only when users send SQL query?.

I guess, the amount of bandwidth is being used by total number of users exceeds the 'Bandwidth Assignment' for that VPN group.

Since you have not configured any bandwidh assignment policy here ,default policy will be pushed. [ Increase the B/w allotment or reduce the users of the group]

You can cross verify by limiting the number of users for this tunnel and pass the traffic and observe the status.


Branimir Turk Tue, 06/12/2007 - 06:56
User Badges:

Tnx Jaffer.

It seems that problem was on the Check Point between VPN concentrator and SQL server.

After some period of inactivity C.P simply dropped TCP connection to SQL server.

Setting the tcp keepalive parameters on user PC-s solved the issue.


This Discussion