10-16-2008 08:03 AM
Hi,
All of a sudden, my users are complaining of their VPN connection dropping out after 10-15 mins of no use.
I have tested and sure enough it drops off.
However, if I ping an inside IP address (-t), it stays connected just fine.
I am using default settings with no special timeouts/keepalive settings.
Uhmmm
I'm stumped,
Any help appreciated.
thanks
Matt
10-17-2008 04:47 AM
Hi,
Provide the Firewall Wall configuration which can help us to understand what has been configured.
Also let us know whether the issue started from the day users started to use VPN or it was suddenly (after any configuration change at your end)
have a nice day.
10-19-2008 10:46 PM
Have a look at this:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#idle
Also enable keepalives incase they are turned off, e.g:
crypto isakmp keepalive 20
Regards
Farrukh
10-22-2008 10:46 AM
Hi,
thanks for the respose, the more I look into this the crazyier the problem.
I don't think its anything to do with idle/session time out because I have set that to over a couple of hours. It's very weired, it only happens on 3 users, the rest (7 users) are okay.
Config
--------------------------------------
group-policy DfltGrpPolicy attributes
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 15
vpn-idle-timeout 120
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy clientgroup attributes
vpn-idle-timeout 240
-------------------------------
Here,s some debug from the PIX and from the client:
PIX# VPN-SESSION_DB in SESS_Mgmt_DeleteEntryInt: Account stop failure
PIX# VPN-SESSION_DB in SESS_Mgmt_AddEntry: Account start failure
------------------------------
client debug:
29 11:06:26.428 10/22/08 Sev=Warning/2 CVPND/0xA3400018
Output size mismatch. Actual: 4, Expected: 225. (DRVIFACE:1868)
30 11:06:26.428 10/22/08 Sev=Warning/3 IKE/0xE3000066
Could not find an IKE SA for ***.***.170.73. KEY_REQ aborted.
31 11:06:26.428 10/22/08 Sev=Warning/2 IKE/0xE300009B
Failed to initiate P2 rekey: Error dectected (Initiate:176)
32 11:06:26.428 10/22/08 Sev=Warning/2 IKE/0xE300009B
Unable to initiate QM (IKE_MAIN:458)
33 11:06:26.805 10/22/08 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=10.10.10.193, error 0
34 11:06:27.809 10/22/08 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
35 11:07:08.625 10/22/08 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route: code 5010
Destination 0.0.0.0
Netmask 0.0.0.0
Gateway 10.10.10.129
Interface 10.10.10.193
36 11:07:08.625 10/22/08 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: 0, Netmask: 0, Interface: a0a32c1, Gateway: a0a3281.
10-22-2008 11:11 AM
Is there a common OS like XP or 2k common on these clients?
I think there are some bugs in both OS pertaining to routes not being added to the routing table. It would be nice to try another VPN client version. Try toggling the 'deterministic network enhancer' ON/OFF. Its under the NIC protocols.
Regards
Farrukh
10-24-2008 01:54 AM
Hi,
Nope, some use XP and some use Vista.
I have had them upgrade to the latest Cisco VPN Client. (and toggle the Network Enhancer too)
NO difference.
VPN Drops after 5 Mins. (unless ping -T)
This is too crazy.
Pls help
Matt
10-24-2008 09:41 PM
Try enabling NAT-traversal on both the VPN client and the firewall
crypto isakmp nat traversal ..
ANd 'check' the UDP encapsulation option (including NAT-T) on the client.
Regards
Farrukh
10-24-2008 09:41 PM
Try enabling NAT-traversal on both the VPN client and the firewall
crypto isakmp nat traversal ..
ANd 'check' the UDP encapsulation option (including NAT-T) on the client.
Regards
Farrukh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: