remote access vpn issue

Unanswered Question
Jul 22nd, 2008
User Badges:

Hi,

we have remote access vpn configured it is working fine from my home & when i connect to vpn from my office it disconnects after 1hr, error is 412 remote peer is no longer responding

FYI: my office fw is Fortigate & remote end is asa 5505, please can someone help me out in this, its very urgent

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
a.alekseev Tue, 07/22/2008 - 00:17
User Badges:
  • Gold, 750 points or more

check the settings on the office fw...

It look like you UDP session (IPSec over UDP in your case) has expired.


Also check "crypto isakmp keepalive ..." on the ASA.

gandhi.ganesh Tue, 07/22/2008 - 00:26
User Badges:

thanks for the quick reply,

please find the ASA configuration attached, their is no keepalive is configured & pls explain briefly what i need to check in my office fw



Attachment: 
nomair_83 Tue, 07/22/2008 - 04:18
User Badges:
  • Bronze, 100 points or more

Dear your pfs is disabled in group policies.

please check and type crypt isakmp keepalive as well.


gandhi.ganesh Tue, 07/22/2008 - 04:34
User Badges:

can u pls explain or give the link about the use of this commands pfs & keepalive


FYI: we have L2L vpn, it is working no issues

my issue is RA VPN & my client also facing the same issue, as i said earlier from my home it is working no problem, In my office we using fortigate fw whether any changes needs to be done here

ggilbert Tue, 07/22/2008 - 09:36
User Badges:
  • Cisco Employee,

Gandhi,


With regard to your problem - it seems like after an hour the UDP port gets torn down so your IPSec connection gets disconnected.


If you configure keepalive on the tunnel-group that you are connecting to, this will try to keep up the session using keepalive packets from the server to the client.


If your office firewall blocks those keepalive messages then you have to allow those keepalive messages coming in from the ASA.


http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/i3.html#wp1824961


Here is a wiki on what PFS is

http://en.wikipedia.org/wiki/Perfect_forward_secrecy


To just read about some explanation on PFS from Cisco's website, please click on the link below.

http://www.cisco.com/en/US/docs/ios/12_1t/12_1t3/feature/guide/dtgroup5.html#wp1018094


Hope this helps.


Thanks

Gilbert



gandhi.ganesh Wed, 07/23/2008 - 00:10
User Badges:

Hi,

I am connecting to same tunnel group from my home & office,

I am attaching the vpn client log file & error message which we got from office & home, hope this will give some more info



Attachment: 

Actions

This Discussion