04-20-2009 08:57 AM - edited 02-21-2020 03:24 AM
I've been having this problem for months and its driving my users nuts.
When a user connects using the VPN client, connection times out on the client side after only a few minutes.
If I user ssh and connect to the box and run anything that generates traffic, the connections stays up.
My configuration:
Pix 515E version 7.2(2)
VPN Client version 4.8.02.0010
timeout values are set to 1hr
Transport is IPSEC over UDP NAT/PAT
Peer response timeout is 480 seconds
Local linksys router router has
IPSec, PPTP, L2TP pass through enabled
Windows firewall has exception for VPN client
PLEASE HELP!
Thanks,
BY
04-25-2009 08:32 AM
I think You are unable to initiate the VPN tunnel from ASA/PIX interface, and after the tunnel establishment, the remote end/VPN Client is unable to ping the inside interface of ASA/PIX on the VPN tunnel. For example, the vpn client can be unable to initiate a SSH or HTTP connection to ASA's inside interface over VPN tunnel.
Solution:
The inside interface of the PIX cannot be pinged from the other end of the tunnel unless the management-access command is configured in the global configuration mode.
12-22-2009 04:04 PM
What do I need to do on the client side firewall to enable DPD Requests?
04-27-2009 06:46 AM
You will want to enable logging on the IPSec VPN client to see why the session is being disconnected. You will also want to debug ISAKMP and IPSec on the ASA. I run into this problem frequently with customers where DPD is enabled but the local firewall policy on the client is dropping the packets.
05-05-2009 09:58 AM
I was just wondering if you got this resolved? I may be able to help you, let me know.
Craig
05-05-2009 10:03 AM
Craig,
No I have not resolved this problem yet. I log into an ssh session on the server and run TOP to keep the activity going, which keeps the connection up. When I disconnect the ssh session the connection dies within a few minutes.
Any ideas?
05-05-2009 10:19 AM
Hi Brian,
Can you confirm tat the client is actually connecting via IPSEC/NAT-T or if its just negotiating a straight IPSEC connection?
On the vpn client turn on all the logging at the HIGH level and then fire up a vpn connection. You'll see in the connection logs whether your client negotiates IPSEC/NAT-T or just IPSEC by the line "Automatic NAT detection status" in the client logs.
If the client negotiates IPSEC only try this little test. Run the client, then fire up a ping to some server within the tunnel for about 5 mins. Kill the ping and see if the keepalive start coming back in the client side log. I'd assume that the keepalives will not come back and your client will start sending alot of keepalive but nothing coming back from VPN endpoint.
Let me know.
Craig
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: