07-09-2008 06:03 AM - edited 03-11-2019 06:11 AM
Hi,
We have configured remote access VPN in our ASA5540. (ASA Ver. 7.2(2). We have 3 VPN groups setups. Sometime any users belongs to any of these groups diconnect after 05-06 seconds once they connected. Once I re-start the ASA all users are able stay connected but again it happens after 1-2 days.
Please advise me what causes VPN users to disconnect immediately when they loged-in.
thanks
07-09-2008 06:40 AM
Hello - Here are couple of questions.
a. What is the XAUTH method you are using. LOCAL or RADIUS?
b. Can you run debugs on the ASA "deb cry isa 200" & " deb cry ipsec 200" when this problem happens and collect the logs.
c. Do you have DPD's enabled on the tunnel-group to which the user is authenticating with.
d. Can you please enable client logs to High and collect them at the same time when you collect the debugs from the ASA.
Thanks
Gilbert
07-09-2008 07:11 AM
Hi Gilbert,
thanks for the reply.
a. XAUTH is local
b. Here is the debug output
PSEC WARNING: outbound SA deletion retry, SPI: 0x674BFED9, user: ql-vpn, peer: 213.130.104.14
IPSEC WARNING: inbound SA deletion retry, SPI: 0xE93CDFE7, user: citrixuser, peer: 213.130.104.242
IPSEC WARNING: outbound SA deletion retry, SPI: 0x43F52957, user: citrixuser, peer: 213.130.104.242
IPSEC WARNING: inbound SA deletion retry, SPI: 0x211CAAB9, user: ajith, peer: 80.231.135.27
IPSEC WARNING: outbound SA deletion retry, SPI: 0x54E3A4DE, user: ajith, peer: 80.231.135.27
IPSEC WARNING: inbound SA deletion retry, SPI: 0xAEB8DD28, user: vishwesh, peer: 78.101.229.12
IPSEC WARNING: outbound SA deletion retry, SPI: 0x6451A342, user: vishwesh, peer: 78.101.229.12
IPSEC WARNING: inbound SA deletion retry, SPI: 0x70E6CA13, user: ajith, peer: 80.231.135.27
IPSEC WARNING: outbound SA deletion retry, SPI: 0x9DEC885F, user: ajith, peer: 80.231.135.27
IPSEC WARNING: outbound SA deletion retry, SPI: 0xDE80BA63, user: srihari, peer: 78.101.240.94
c.what is PDP and how to check whether it's enabled?.
any suggestion?
07-09-2008 06:41 AM
if you want to know the causes open service request with CiscoTac.
But before doing this you can try to change the software on ASA.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: