Easy VPN - VPN do not restart after Link reset

Unanswered Question
May 4th, 2009

Hello,

We have ASA 5505 configured as EsayVpn client (System image: asa804-k8.bin).

This ASA is connected to the LAN interface of the provider router.

The providers reset each evening the WAN link of his router.

When he do so the ASA is then not able to restart the VPN, the only way is to restart the ASA.

Do you know how the ASA should react when such link failure occure and how long he should need to rebuild a VPN tunnel?

Many thanks

Gael

PS: Config of the ASA (X -> info not sharable)

ASA Version 8.0(4)

!

hostname X

domain-name ADSL.com

names

!

interface Vlan1

nameif inside

security-level 100

ip address X

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa804-k8.bin

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name ADSL.com

access-list tcp-traffic extended permit tcp any any

!

tcp-map allow-probes

tcp-options range 76 76 allow

!

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-613.bin

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

ssh version 2

console timeout 0

management-access inside

dhcpd dns

dhcpd ping_timeout 750

dhcpd domain uefa.local

dhcpd auto_config outside

dhcpd option 43 X

!

dhcpd address X inside

dhcpd enable inside

!

vpnclient server

vpnclient mode network-extension-mode

vpnclient vpngroup X password ********

vpnclient username X password ********

vpnclient management clear

vpnclient enable

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server X source inside

ntp server X source inside prefer

username uefadmin password wBs1nbry3UsRSfV3 encrypted

!

class-map tcp-traffic

match access-list tcp-traffic

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

class tcp-traffic

set connection advanced-options allow-probes

!

service-policy global_policy global

prompt hostname context

Cryptochecksum

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mvsheik123 Mon, 05/04/2009 - 05:25

Hi,

Try adding 'vpnclient nem-st-autoconnect'

to 'vpnclient' config.

hth

MS

Actions

This Discussion