cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
515
Views
0
Helpful
3
Replies

RA VPN Client Disconnect

pemasirid
Level 1
Level 1

Hi,

We have configured remote access VPN in our ASA5540. (ASA Ver. 7.2(2). We have 3 VPN groups setups. Sometime any users belongs to any of these groups diconnect after 05-06 seconds once they connected. Once I re-start the ASA all users are able stay connected but again it happens after 1-2 days.

Please advise me what causes VPN users to disconnect immediately when they loged-in.

thanks

3 Replies 3

ggilbert
Cisco Employee
Cisco Employee

Hello - Here are couple of questions.

a. What is the XAUTH method you are using. LOCAL or RADIUS?

b. Can you run debugs on the ASA "deb cry isa 200" & " deb cry ipsec 200" when this problem happens and collect the logs.

c. Do you have DPD's enabled on the tunnel-group to which the user is authenticating with.

d. Can you please enable client logs to High and collect them at the same time when you collect the debugs from the ASA.

Thanks

Gilbert

Hi Gilbert,

thanks for the reply.

a. XAUTH is local

b. Here is the debug output

PSEC WARNING: outbound SA deletion retry, SPI: 0x674BFED9, user: ql-vpn, peer: 213.130.104.14

IPSEC WARNING: inbound SA deletion retry, SPI: 0xE93CDFE7, user: citrixuser, peer: 213.130.104.242

IPSEC WARNING: outbound SA deletion retry, SPI: 0x43F52957, user: citrixuser, peer: 213.130.104.242

IPSEC WARNING: inbound SA deletion retry, SPI: 0x211CAAB9, user: ajith, peer: 80.231.135.27

IPSEC WARNING: outbound SA deletion retry, SPI: 0x54E3A4DE, user: ajith, peer: 80.231.135.27

IPSEC WARNING: inbound SA deletion retry, SPI: 0xAEB8DD28, user: vishwesh, peer: 78.101.229.12

IPSEC WARNING: outbound SA deletion retry, SPI: 0x6451A342, user: vishwesh, peer: 78.101.229.12

IPSEC WARNING: inbound SA deletion retry, SPI: 0x70E6CA13, user: ajith, peer: 80.231.135.27

IPSEC WARNING: outbound SA deletion retry, SPI: 0x9DEC885F, user: ajith, peer: 80.231.135.27

IPSEC WARNING: outbound SA deletion retry, SPI: 0xDE80BA63, user: srihari, peer: 78.101.240.94

c.what is PDP and how to check whether it's enabled?.

any suggestion?

a.alekseev
Level 7
Level 7

if you want to know the causes open service request with CiscoTac.

But before doing this you can try to change the software on ASA.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: