asa 5520 - iphones are disconnected after a certain time

Unanswered Question
Nov 25th, 2008

Hi,

few people of our university connect with their iPhone (protocol IPSec) to our asa (version 8.0(4)). The VPN connection starts correctly and they can use their iphone without problem. But after about 57min and 33s, all iPhones are disconnected from the ASA (IKE error ?):

Group = yyyy, Username = xxxx, IP = 134.21.xx.xx, QM FSM error (P2 struct &0xce84ccf0, mess id 0xe2ee3d2d)!

Group = yyyy, Username = xxxx, IP = 134.21.xx.xx, Removing peer from peer table failed, no match!up = yyyy, Username = xxxx, IP = 134.21.xx.xx, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

Group = yyyy, Username = xxxx, IP = 134.21.xx.xx, Session disconnected. Session Type: IPsec, Duration: 0h:57m:33s, Bytes xmt: 55592, Bytes rcv: 32342, Reason: Phase 2 Error

someone knows this problem?

Thank you for your help

Sam

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mvsheik123 Wed, 11/26/2008 - 08:33

Hi,

Try to remove the 'inspect h323 / inspect sip based on the application the IP phones use. It might help.

Thank you

MS

s.fasel Thu, 11/27/2008 - 04:21

Hi,

thank you for the answer, but I removed the inspect h323/sip and the problem is always the same.

An another idea?

thank you

mvsheik123 Thu, 11/27/2008 - 06:09

Hi,

It might be something to do with VPN idle time like 1Hr. you might have checked it but just wanted to make sure. VPN users log in using laptop than IPhone shows the same behaviour?

MS

s.fasel Thu, 11/27/2008 - 06:57

Hi,

my idle timeout is 60min and the maximum connect time is unlimited. Only iPhones are disconnect after 57min 33s, but all iphones. We have another clients(WindowsXP/Vista/MacOSX/Linux) and they are no problem.

I have put in attachement the details about iPhone connection, 20 seconds before its disconnection.

Thank you

Attachment: 
mvsheik123 Thu, 11/27/2008 - 14:01

Hi,

Assuing NAC is doing nothing here, I would test this with different encryption policy than AES for IPsec.

MS

Actions

This Discussion