Tough VPN Question

Unanswered Question
Nov 14th, 2008

Hi, I have a Cisco ASA 5505. I have several hardware VPNs connected to it. These stay up (most of the time). However, I have a couple of users who connect using the software client. They are actually on another network so they use a split network. My network takes their 10.1.1.0 traffic. I named their tunnel "companion". For these users, about once a day, or maybe every 6 hours, they lose their connection to the ASA. The lock icon still says it's connected, but they can't reach our servers. They can fix it by simply disconnecting and reconnecting the lock. I have no idea what causes this problem, but I am no Cisco expert. I attached my config. If anyone sees something I am doing grievously wrong for the Companion group or anywhere else, please tell me. It would be much appreciated. Tell me if I can provide any further information. I also pinged their internet connection and that's not it. Their internet connection stays up, but I lose the ping to their computers when this happens.

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Sat, 11/15/2008 - 04:33

Hello Chris,

from your configuration I see the following:

policy DfltGrpPolicy

contains the following commands:

vpn-idle-timeout none

vpn-session-timeout none

instead in the policy companion the two commands are missing.

in the section of timeouts we see:

timeout uauth 0:05:00 absolute

but you say that users are able to work for more time and the ipsec tunnel is teared down one a day or every 6 hours.

I would try to add the aforementioned commands under policy companion.

Another thought:

the ipsec connection can be closed by both sides so also have a look at vpn SW on PCs.

Hope to help

Giuseppe

itccv0822 Wed, 11/19/2008 - 10:18

Hi,

Thanks for the advice on this. I am actually a bit more confused now. Over the weekend, I was able to run the connection from my home to my office for 3 days straight. I am starting to suspect the client side network. I will implement what you have listed here and also run some tests on site over there. I will post what happens.

qbakies11 Wed, 11/19/2008 - 13:23

I had to upgrade my user's VPN client to v5.0.03 when I moved VPN from my old 3005 to the new ASA. That fixed their issues with dropping connections.

Actions

This Discussion