Tough VPN Question

Unanswered Question
Nov 14th, 2008
User Badges:

Hi, I have a Cisco ASA 5505. I have several hardware VPNs connected to it. These stay up (most of the time). However, I have a couple of users who connect using the software client. They are actually on another network so they use a split network. My network takes their traffic. I named their tunnel "companion". For these users, about once a day, or maybe every 6 hours, they lose their connection to the ASA. The lock icon still says it's connected, but they can't reach our servers. They can fix it by simply disconnecting and reconnecting the lock. I have no idea what causes this problem, but I am no Cisco expert. I attached my config. If anyone sees something I am doing grievously wrong for the Companion group or anywhere else, please tell me. It would be much appreciated. Tell me if I can provide any further information. I also pinged their internet connection and that's not it. Their internet connection stays up, but I lose the ping to their computers when this happens.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Sat, 11/15/2008 - 04:33
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Chris,

from your configuration I see the following:

policy DfltGrpPolicy

contains the following commands:

vpn-idle-timeout none

vpn-session-timeout none

instead in the policy companion the two commands are missing.

in the section of timeouts we see:

timeout uauth 0:05:00 absolute

but you say that users are able to work for more time and the ipsec tunnel is teared down one a day or every 6 hours.

I would try to add the aforementioned commands under policy companion.

Another thought:

the ipsec connection can be closed by both sides so also have a look at vpn SW on PCs.

Hope to help


itccv0822 Wed, 11/19/2008 - 10:18
User Badges:


Thanks for the advice on this. I am actually a bit more confused now. Over the weekend, I was able to run the connection from my home to my office for 3 days straight. I am starting to suspect the client side network. I will implement what you have listed here and also run some tests on site over there. I will post what happens.

qbakies11 Wed, 11/19/2008 - 13:23
User Badges:

I had to upgrade my user's VPN client to v5.0.03 when I moved VPN from my old 3005 to the new ASA. That fixed their issues with dropping connections.


This Discussion