Problems after upgrade to the latest VPN client 4.x and 5.x leaves

Unanswered Question
Sep 7th, 2007
User Badges:

Hi, after upgrading to the latest version of the VPN software, some of my clients who use either a Linksys, D-Link or Bell speedtream 6520 router, can no longer connect or get disconnected after a short perioed of time. Anyone else have issues or know what we can check? MTU size??? FYI, they all worked fine with the previous version of the client.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
didyap Thu, 09/13/2007 - 05:56
User Badges:
  • Silver, 250 points or more

This sounds like the "failing to learn DNS info" issue. I think if you manually set DNS servers instead of learning them from DHCP, this problem would occur. Make sure you enable DNS in the network control panel TCPIP bindings. Another problem could be with the MTU size but since it is with various platforms I think this may not be the issue. However check by lowering the MTU size.

nefkensp Thu, 09/13/2007 - 11:55
User Badges:

Do you have the ISAKMP nat traversal enabled and also the ISAKMP keepalive?

It could be that the spontaneous disconnect has to do with a nat-translation that gets lost..

willie.gillespie Fri, 10/12/2007 - 12:01
User Badges:

Had a similar problem as the individual above: I could take a laptop and connect for hours at some places, but other places would only stay connected for a few minutes before disconnecting. It was probably the issue of whether I was going through a NAT box or not (or more likely, which NAT box I was traversing and how well it handled it).

Following your suggestion, turning on the ISAKMP nat traversal/keep-alive has seemed to fix the problem for me so far. Although I have not put it through extensive testing yet; but so far so good.


m.saunders Fri, 10/12/2007 - 12:09
User Badges:

Hi Willie, can you give me more information on the command you applied? Just to update, I am running a VPN blade in a 6500 switch and all my clients terminate there. There is a "crypto isakmp nat keepalive" command I can apply but that is a global command and will affect everyone.

willie.gillespie Fri, 10/12/2007 - 12:16
User Badges:

The command which enabled nat-traversal with a 20 second keep alive for me:

isakmp nat-traversal 20

I am running a PIX 506e firewall.

As far as I know (which isn't much), it does have to enable it for all your clients, but I don't have any reports of it breaking clients that previously worked. Perhaps someone a little more knowledgeable can comment in that regard.

m.saunders Fri, 10/12/2007 - 12:20
User Badges:

Thanks for your speady reply. Hopefully someone will be able to answer me about the 6500 commands.

m.saunders Fri, 10/12/2007 - 12:11
User Badges:

Hi, no, I do not have it enabled. I am running a VPN blade on a 6500 switch where all my clients terminate.


This Discussion