L2TP VPN ASA5520 Frequent Disconnects

Unanswered Question
Feb 4th, 2009

I am using Microsoft Client with L2TP, Pre-Shared Secrets, on XP and Vista, to connect to an ASA5520. Remote users can connect without any problems but experience random yet frequent disconnects.

ASA log only shows session terminated by end user.

TAC has reviewed the config and all seems correct. Has anyone seen this behavior?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mchin345 Tue, 02/10/2009 - 15:31

It sounds like the pcs they are testing from are misconfigured. Both the L2TP over IPSEC and Cisco client connections use UDP/500 for the first packet. If the Cisco client is not working then UDP/500 is being blocked somewhere in the path. This means if the L2TP client is not configured correctly else if configured correctly then sending a UDP/500 packet we should be seeing it on the ASA. So please make sure you are client is configured correctly. Still you are getting problem then reset the ASA to factory default and rebuild the configuration & try it.

t.radan Wed, 02/11/2009 - 06:19

Please note that the remote clients are able to connect. I see their sessions clearly on the ASA. That is not the problem. The problem is that they can stay connected for hours, but then randomly disconnect. The disconnect happens with many different remote users, running either XP or Vista.

FSieber1070 Wed, 04/01/2009 - 22:44


we have the same issue. The of our examination was, that it was that the rekeying of IPSEC/ISAKMP occurs at the same time. Because if you have configured the both timers on a mutiple. If you configure the timers as following our test Clients work for days w/o interuption:

crypto dynamic-map xxx xx set security-association lifetime seconds 28801

crypto isakmp policy xx

lifetime 86400

wstuart Mon, 04/13/2009 - 15:13

Sorry, missed your reply...

Except for one thing, on ASA 8.0, you can not remove the KB timeout and the time timeout does not follow the setting.

wstuart Mon, 04/13/2009 - 15:10

Yes, and I think I have traced it down, but don't have a solution...

Whatever I set for:

security-association lifetime seconds

security-association lifetime kilobytes

The ASA negotiates to:

3600 Seconds (one hour)

250000 Kbytes

and the windows box has:

28800 Seconds (eight hours)

0 Kbytes (I assume infinite)

When the cisco box times out, it drops the connection and does not rekey.

I have not found any solution for this.


This Discussion