VPN Client Side disconnection problem

Unanswered Question

I've been having this problem for months and its driving my users nuts.

When a user connects using the VPN client, connection times out on the client side after only a few minutes.

If I user ssh and connect to the box and run anything that generates traffic, the connections stays up.

My configuration:

Pix 515E version 7.2(2)

VPN Client version

timeout values are set to 1hr

Transport is IPSEC over UDP NAT/PAT

Peer response timeout is 480 seconds

Local linksys router router has

IPSec, PPTP, L2TP pass through enabled

Windows firewall has exception for VPN client




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)

I think You are unable to initiate the VPN tunnel from ASA/PIX interface, and after the tunnel establishment, the remote end/VPN Client is unable to ping the inside interface of ASA/PIX on the VPN tunnel. For example, the vpn client can be unable to initiate a SSH or HTTP connection to ASA's inside interface over VPN tunnel.


The inside interface of the PIX cannot be pinged from the other end of the tunnel unless the management-access command is configured in the global configuration mode.

Todd Pula Mon, 04/27/2009 - 06:46
User Badges:
  • Silver, 250 points or more

You will want to enable logging on the IPSec VPN client to see why the session is being disconnected. You will also want to debug ISAKMP and IPSec on the ASA. I run into this problem frequently with customers where DPD is enabled but the local firewall policy on the client is dropping the packets.

craig.eyre Tue, 05/05/2009 - 09:58
User Badges:

I was just wondering if you got this resolved? I may be able to help you, let me know.


craig.eyre Tue, 05/05/2009 - 10:19
User Badges:

Hi Brian,

Can you confirm tat the client is actually connecting via IPSEC/NAT-T or if its just negotiating a straight IPSEC connection?

On the vpn client turn on all the logging at the HIGH level and then fire up a vpn connection. You'll see in the connection logs whether your client negotiates IPSEC/NAT-T or just IPSEC by the line "Automatic NAT detection status" in the client logs.

If the client negotiates IPSEC only try this little test. Run the client, then fire up a ping to some server within the tunnel for about 5 mins. Kill the ping and see if the keepalive start coming back in the client side log. I'd assume that the keepalives will not come back and your client will start sending alot of keepalive but nothing coming back from VPN endpoint.

Let me know.



This Discussion