RA VPN Client Disconnect

Unanswered Question
Jul 9th, 2008

Hi,

We have configured remote access VPN in our ASA5540. (ASA Ver. 7.2(2). We have 3 VPN groups setups. Sometime any users belongs to any of these groups diconnect after 05-06 seconds once they connected. Once I re-start the ASA all users are able stay connected but again it happens after 1-2 days.

Please advise me what causes VPN users to disconnect immediately when they loged-in.

thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ggilbert Wed, 07/09/2008 - 06:40

Hello - Here are couple of questions.

a. What is the XAUTH method you are using. LOCAL or RADIUS?

b. Can you run debugs on the ASA "deb cry isa 200" & " deb cry ipsec 200" when this problem happens and collect the logs.

c. Do you have DPD's enabled on the tunnel-group to which the user is authenticating with.

d. Can you please enable client logs to High and collect them at the same time when you collect the debugs from the ASA.

Thanks

Gilbert

pemasirid Wed, 07/09/2008 - 07:11

Hi Gilbert,

thanks for the reply.

a. XAUTH is local

b. Here is the debug output

PSEC WARNING: outbound SA deletion retry, SPI: 0x674BFED9, user: ql-vpn, peer: 213.130.104.14

IPSEC WARNING: inbound SA deletion retry, SPI: 0xE93CDFE7, user: citrixuser, peer: 213.130.104.242

IPSEC WARNING: outbound SA deletion retry, SPI: 0x43F52957, user: citrixuser, peer: 213.130.104.242

IPSEC WARNING: inbound SA deletion retry, SPI: 0x211CAAB9, user: ajith, peer: 80.231.135.27

IPSEC WARNING: outbound SA deletion retry, SPI: 0x54E3A4DE, user: ajith, peer: 80.231.135.27

IPSEC WARNING: inbound SA deletion retry, SPI: 0xAEB8DD28, user: vishwesh, peer: 78.101.229.12

IPSEC WARNING: outbound SA deletion retry, SPI: 0x6451A342, user: vishwesh, peer: 78.101.229.12

IPSEC WARNING: inbound SA deletion retry, SPI: 0x70E6CA13, user: ajith, peer: 80.231.135.27

IPSEC WARNING: outbound SA deletion retry, SPI: 0x9DEC885F, user: ajith, peer: 80.231.135.27

IPSEC WARNING: outbound SA deletion retry, SPI: 0xDE80BA63, user: srihari, peer: 78.101.240.94

c.what is PDP and how to check whether it's enabled?.

any suggestion?

a.alekseev Wed, 07/09/2008 - 06:41

if you want to know the causes open service request with CiscoTac.

But before doing this you can try to change the software on ASA.

Actions

This Discussion