Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
339
Views
0
Helpful
3
Replies

Tough VPN Question

itccv0822
Level 1
Level 1

‎11-14-2008 05:16 PM - edited ‎03-04-2019 12:20 AM

Hi, I have a Cisco ASA 5505. I have several hardware VPNs connected to it. These stay up (most of the time). However, I have a couple of users who connect using the software client. They are actually on another network so they use a split network. My network takes their 10.1.1.0 traffic. I named their tunnel "companion". For these users, about once a day, or maybe every 6 hours, they lose their connection to the ASA. The lock icon still says it's connected, but they can't reach our servers. They can fix it by simply disconnecting and reconnecting the lock. I have no idea what causes this problem, but I am no Cisco expert. I attached my config. If anyone sees something I am doing grievously wrong for the Companion group or anywhere else, please tell me. It would be much appreciated. Tell me if I can provide any further information. I also pinged their internet connection and that's not it. Their internet connection stays up, but I lose the ping to their computers when this happens.

Labels:
Preview file
11 KB
0 Helpful
3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎11-15-2008 04:33 AM

Hello Chris,

from your configuration I see the following:

policy DfltGrpPolicy

contains the following commands:

vpn-idle-timeout none

vpn-session-timeout none

instead in the policy companion the two commands are missing.

in the section of timeouts we see:

timeout uauth 0:05:00 absolute

but you say that users are able to work for more time and the ipsec tunnel is teared down one a day or every 6 hours.

I would try to add the aforementioned commands under policy companion.

Another thought:

the ipsec connection can be closed by both sides so also have a look at vpn SW on PCs.

Hope to help

Giuseppe

0 Helpful

itccv0822
Level 1
Level 1
In response to Giuseppe Larosa

‎11-19-2008 10:18 AM

Hi,

Thanks for the advice on this. I am actually a bit more confused now. Over the weekend, I was able to run the connection from my home to my office for 3 days straight. I am starting to suspect the client side network. I will implement what you have listed here and also run some tests on site over there. I will post what happens.

0 Helpful

qbakies11
Level 1
Level 1

‎11-19-2008 01:23 PM

I had to upgrade my user's VPN client to v5.0.03 when I moved VPN from my old 3005 to the new ASA. That fixed their issues with dropping connections.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card