remote access vpn issue

Unanswered Question
Jul 22nd, 2008

Hi,

we have remote access vpn configured it is working fine from my home & when i connect to vpn from my office it disconnects after 1hr, error is 412 remote peer is no longer responding

FYI: my office fw is Fortigate & remote end is asa 5505, please can someone help me out in this, its very urgent

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
a.alekseev Tue, 07/22/2008 - 00:17

check the settings on the office fw...

It look like you UDP session (IPSec over UDP in your case) has expired.

Also check "crypto isakmp keepalive ..." on the ASA.

gandhi.ganesh Tue, 07/22/2008 - 00:26

thanks for the quick reply,

please find the ASA configuration attached, their is no keepalive is configured & pls explain briefly what i need to check in my office fw

Attachment: 
nomair_83 Tue, 07/22/2008 - 04:18

Dear your pfs is disabled in group policies.

please check and type crypt isakmp keepalive as well.

gandhi.ganesh Tue, 07/22/2008 - 04:34

can u pls explain or give the link about the use of this commands pfs & keepalive

FYI: we have L2L vpn, it is working no issues

my issue is RA VPN & my client also facing the same issue, as i said earlier from my home it is working no problem, In my office we using fortigate fw whether any changes needs to be done here

ggilbert Tue, 07/22/2008 - 09:36

Gandhi,

With regard to your problem - it seems like after an hour the UDP port gets torn down so your IPSec connection gets disconnected.

If you configure keepalive on the tunnel-group that you are connecting to, this will try to keep up the session using keepalive packets from the server to the client.

If your office firewall blocks those keepalive messages then you have to allow those keepalive messages coming in from the ASA.

http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/i3.html#wp1824961

Here is a wiki on what PFS is

http://en.wikipedia.org/wiki/Perfect_forward_secrecy

To just read about some explanation on PFS from Cisco's website, please click on the link below.

http://www.cisco.com/en/US/docs/ios/12_1t/12_1t3/feature/guide/dtgroup5.html#wp1018094

Hope this helps.

Thanks

Gilbert

gandhi.ganesh Wed, 07/23/2008 - 00:10

Hi,

I am connecting to same tunnel group from my home & office,

I am attaching the vpn client log file & error message which we got from office & home, hope this will give some more info

Attachment: 

Actions

This Discussion