asa 5520 - iphones are disconnected after a certain time

s.fasel · ‎11-25-2008

Hi,

few people of our university connect with their iPhone (protocol IPSec) to our asa (version 8.0(4)). The VPN connection starts correctly and they can use their iphone without problem. But after about 57min and 33s, all iPhones are disconnected from the ASA (IKE error ?):

Group = yyyy, Username = xxxx, IP = 134.21.xx.xx, QM FSM error (P2 struct &0xce84ccf0, mess id 0xe2ee3d2d)!

Group = yyyy, Username = xxxx, IP = 134.21.xx.xx, Removing peer from peer table failed, no match!up = yyyy, Username = xxxx, IP = 134.21.xx.xx, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

Group = yyyy, Username = xxxx, IP = 134.21.xx.xx, Session disconnected. Session Type: IPsec, Duration: 0h:57m:33s, Bytes xmt: 55592, Bytes rcv: 32342, Reason: Phase 2 Error

someone knows this problem?

Thank you for your help

Sam

mvsheik123 · ‎11-26-2008

Hi,

Try to remove the 'inspect h323 / inspect sip based on the application the IP phones use. It might help.

Thank you

MS

s.fasel · ‎11-27-2008

Hi,

thank you for the answer, but I removed the inspect h323/sip and the problem is always the same.

An another idea?

thank you

mvsheik123 · ‎11-27-2008

Hi,

It might be something to do with VPN idle time like 1Hr. you might have checked it but just wanted to make sure. VPN users log in using laptop than IPhone shows the same behaviour?

MS

s.fasel · ‎11-27-2008

Hi,

my idle timeout is 60min and the maximum connect time is unlimited. Only iPhones are disconnect after 57min 33s, but all iphones. We have another clients(WindowsXP/Vista/MacOSX/Linux) and they are no problem.

I have put in attachement the details about iPhone connection, 20 seconds before its disconnection.

Thank you

mvsheik123 · ‎11-27-2008

Hi,

Assuing NAC is doing nothing here, I would test this with different encryption policy than AES for IPsec.

MS