CVPN 3005 & 3020 : Remote Access Clients frozen during 60 seconds

Unanswered Question
Aug 13th, 2008

Good morning,

I'm encoutering an interesting issue on two different CVPN boxes (Cisco VPN 3005 and 3020).

The thing is, when remote clients connect to the VPN gateway using their Cisco VPN client, then cannot reach any of my LAN hosts for about 60 seconds despite log-in procedure has ran fine.

Then, after about 60 seconds (sometimes less), connectivity to my network works well.

While they continuously ping one of my hosts, on the CVPN WebUI, session statistics show 0 in/out encrypted packets.

TCPDump at the back of the CVPN box shows no packets sent to my network (not even arp or whatever).

Is there any option I missed on my configuration to disable this annoying freeze time?

Thanks for helping if any of you has ever solved this.

Best regards,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
Farrukh Haroon Wed, 08/13/2008 - 06:40

I'm not aware of any such setting to sort of put a delay() function on the clients :)

Try to put the desired Phase 1 profile on the top of the VPNC IKE proposals (Global). Phase 1 Parameters are always negotiated from the global proposals (Regardless of what you put in the Group >>> Ipsec Tab



gaetan.allart Wed, 08/13/2008 - 06:55

Even if connection to the VPN gateway is established almost immediatly, do you really think phase 1 tuning might have an impact on this "delay"?

Because, during these 30~60 seconds, VPN Client is connected and IP address is given to the remote host.

Farrukh Haroon Wed, 08/13/2008 - 10:44

NO Phase 1 is much before the IP assignment phase (which is part of mode config), but sometimes it takes a little time for the VPN statistics page to update. Does this happen on all clients?



gaetan.allart Wed, 08/13/2008 - 12:30

No chance.

Tested from two different ISP and got the issue on two different boxes (3305 & 3320).

Tried to reload the CVPN and upgrade to latest version without any result.

Farrukh Haroon Wed, 08/13/2008 - 18:46

Ok thanks for the update.

Are you using split tunneling or local Lan access feature?



gaetan.allart Wed, 08/13/2008 - 21:57

No split-tunneling. Everything's routed through the IPSec tunnel.




This Discussion