Cisco VPN Drops when Idle

Unanswered Question
Dec 12th, 2007

Cisco VPN Client

Connectiing to ASA5520

Using NTAuth to authenticate.

The Clients are using Sierra Wireless 595 aircards. Attached is my ASA running config. The tunnel Group PDClient is reporting the intermentent problem. I have also had the problem here and there. The default gateway on the client disappears. I do not see anything on the ASA I see the client as still connected. I push a proxy setting from the ASA so that all traffic comes into our web filtering St.Bernard.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
husycisco Wed, 12/12/2007 - 13:23

Hi Mis

Please try adding the following configuration

no access-list inside_nat0_outbound extended permit ip

access-list inside_nat0_outbound extended permit ip object-group PDClient

access-list PDClient_Split permit ip object-group PDClient

group-policy PDClient attributes

no split-tunnel-policy tunnelall

no split-tunnel-network-list none

split-tunnel-policy tunnelspecified

split-tunnel-network-list PDClient_Split


obmis Thu, 12/13/2007 - 06:16

I did the above and of course it broke some applications going to non /ip's.

So I did add example to the permit. Now I am unable to use VNC or even ping from Network.

From the laptop I can ping network. Any ideas

obmis Thu, 12/13/2007 - 07:25

Now I can access all my network resources. Windows Firewall was blocking. Sorry. I also had the subnet mask for allowing access to my 10.8 network. I am going to have to wait on reports from the field if they are continuing to drop.

husycisco Fri, 12/14/2007 - 03:13

add the non networks in the following lines like

access-list inside_nat0_outbound extended permit ip object-group PDClient

access-list inside_nat0_outbound extended permit ip object-group PDClient

access-list PDClient_Split permit ip object-group PDClient

access-list PDClient_Split permit ip object-group PDClient

obmis Fri, 12/14/2007 - 05:45

I added the group of PDVCSO to the permit. It is working. I am waiting on my field officers to report back to me. I will let you know the outcome. What difference does should it make forcing all traffic like my original config compaired to only the selected traffic when I am forcing everything through the Proxy server?

husycisco Fri, 12/14/2007 - 07:27

Your remote clients go to internet through the VPN tunnel to into your web filtering St.Bernard? In this case my solution wont work, I think I confused with another question, above solution is for VPDN clients that lose local network connectivity. I apologize

I assume what you are talking about is "Error 433" and "Error 412 remote peer no longer responding" in VPN clientside that I encountered in another project of mine. I thought this was about idle-timeout and added the following

group-policy policynamehere attributes

vpn-idle-timeout 10080

10080 minutes, pretty good, but no, this is not the issue (I hope you solve yours with just setting the timeout value above). Clients were having trouble with their local net, short disconnects or leakages in internet connectivity, and they were getting disconnected.

First solution that I ve came up with was "Auto-initation".

That was OK, but when client disconnects, the error was popping up and auto initation would not function untill someone clicks ok to that error. After click OK, tunnel is up again in a few seconds. Maybe running VPN client fully in CLI mode prevent that pop up and that fixes your issue.

If you ask how did I ended up with the project, We asked Checkpoint to modify Secureclient for us to achieve what we want, and we deployed Checkpoint in the end. Cisco did not accept modifying their GUI software



This Discussion