vpn drops for some clients

Unanswered Question
Jun 10th, 2007

Hi, i am trying to deploy site-to-site vpn from remote site to central location. It seems that after some period of inactivity users experience some kind of connection timeout. ( Users send some heavy processing querry to SQL server,and after for example 10 minutes of processing they lose connection?Other "non timed out users" work fine at that time.) When that happens vpn is still up.And time-outed users can again connect to server.

Here is the part of configuration related to VPN

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

crypto isakmp key xxxx address xxx.xxx.xxx.xxx

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10 periodic

crypto isakmp nat keepalive 5

!

crypto ipsec security-association lifetime seconds 28800

!

crypto ipsec transform-set strong esp-3des esp-md5-hmac

!

crypto map vpn-crosig 100 ipsec-isakmp

set peer 213.x.x.148

set transform-set strong

match address vpn-crosig

reverse-route remote-peer

!

!

!

!

interface FastEthernet0

description >>Prema VM mrezi<<

ip address xxx.xxx.xxx.xxx 255.255.255.240

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

priority-group 1

no cdp enable

crypto map vpn-crosig

!

tion hdlc

shutdown

!

interface FastEthernet2

switchport access vlan 100

no cdp enable

!

interface Vlan100

description >>Prema LAN<<

ip address 192.168.0.1 255.255.255.0

ip access-group 154 in

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1400

no snmp trap link-status

priority-group 1

!

!

ip default-gateway 80.x.x.209

ip route 0.0.0.0 0.0.0.x.x.173.209

!

ip nat pool vpn 172.30.144.82 172.30.144.94 prefix-length 28

ip nat inside source route-map internet interface FastEthernet0 overload

ip nat inside source route-map vpn pool vpn

ip access-list extended internet

deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255

permit ip 192.168.0.0 0.0.0.255 any

ip access-list extended vpn

permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255

ip access-list extended vpn-crosig

permit ip 172.30.144.80 0.0.0.15 10.0.0.0 0.255.255.255

At the central site i am using VPN 3000 series concentrator. And the clients are trying to connect to 10.0.0.0/8 at central.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jaffer_sathik2010 Tue, 06/12/2007 - 04:32

Hi,

Are you sure that VPN disconnects only when users send SQL query?.

I guess, the amount of bandwidth is being used by total number of users exceeds the 'Bandwidth Assignment' for that VPN group.

Since you have not configured any bandwidh assignment policy here ,default policy will be pushed. [ Increase the B/w allotment or reduce the users of the group]

You can cross verify by limiting the number of users for this tunnel and pass the traffic and observe the status.

--Jaffer

Branimir Turk Tue, 06/12/2007 - 06:56

Tnx Jaffer.

It seems that problem was on the Check Point between VPN concentrator and SQL server.

After some period of inactivity C.P simply dropped TCP connection to SQL server.

Setting the tcp keepalive parameters on user PC-s solved the issue.

Actions

This Discussion