asa 5520 - iphones are disconnected after a certain time

Unanswered Question
Nov 25th, 2008
User Badges:

Hi,


few people of our university connect with their iPhone (protocol IPSec) to our asa (version 8.0(4)). The VPN connection starts correctly and they can use their iphone without problem. But after about 57min and 33s, all iPhones are disconnected from the ASA (IKE error ?):


Group = yyyy, Username = xxxx, IP = 134.21.xx.xx, QM FSM error (P2 struct &0xce84ccf0, mess id 0xe2ee3d2d)!

Group = yyyy, Username = xxxx, IP = 134.21.xx.xx, Removing peer from peer table failed, no match!up = yyyy, Username = xxxx, IP = 134.21.xx.xx, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

Group = yyyy, Username = xxxx, IP = 134.21.xx.xx, Session disconnected. Session Type: IPsec, Duration: 0h:57m:33s, Bytes xmt: 55592, Bytes rcv: 32342, Reason: Phase 2 Error


someone knows this problem?

Thank you for your help


Sam


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mvsheik123 Wed, 11/26/2008 - 08:33
User Badges:
  • Gold, 750 points or more

Hi,


Try to remove the 'inspect h323 / inspect sip based on the application the IP phones use. It might help.


Thank you

MS

s.fasel Thu, 11/27/2008 - 04:21
User Badges:

Hi,


thank you for the answer, but I removed the inspect h323/sip and the problem is always the same.


An another idea?

thank you

mvsheik123 Thu, 11/27/2008 - 06:09
User Badges:
  • Gold, 750 points or more

Hi,


It might be something to do with VPN idle time like 1Hr. you might have checked it but just wanted to make sure. VPN users log in using laptop than IPhone shows the same behaviour?


MS

s.fasel Thu, 11/27/2008 - 06:57
User Badges:

Hi,


my idle timeout is 60min and the maximum connect time is unlimited. Only iPhones are disconnect after 57min 33s, but all iphones. We have another clients(WindowsXP/Vista/MacOSX/Linux) and they are no problem.

I have put in attachement the details about iPhone connection, 20 seconds before its disconnection.


Thank you



Attachment: 
mvsheik123 Thu, 11/27/2008 - 14:01
User Badges:
  • Gold, 750 points or more

Hi,


Assuing NAC is doing nothing here, I would test this with different encryption policy than AES for IPsec.


MS

Actions

This Discussion