IPSec VPN client

harthartster09 · ‎11-09-2009

Hi,

Head end - ASA 5510 8.0(4)28

I am using IPSec VPN client v. 5.0.06.0110. The issue I am having is that clients would lose their VPN connection, because of some wireless issues at their home. They have laptops and use wireless to connect to VPN. Wireless is not always stable and this causes to lose VPN connectivity.

I tried to increase keepalives timers for the tunnel, hoping this would make tunnel to be more tolerant for client unavailability but with no luck. By looking at the ASA logs, I can see that ASA sends the keepalives every 10 seconds with 2 seconds retry, even if I set isakmp keepalive threshold 60 retry 10.

The current configuration of the tunnel:

tunnel-group MYGROUP type remote-access

tunnel-group MYGROUP general-attributes

address-pool MYPOOL

authentication-server-group MYAUTH

default-group-policy MYPOLICY

tunnel-group MYGROUP ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 60 retry 10

Anyone can help me with this?

hdashnau · ‎11-10-2009

The VPN connection will drop if the address assigned to the physical wireless adapter is changing. Set the VPN client logs to level 3-high all during the disconnect and then examine them to see if you see "adapter address changed" messages or something similar. If you do, you won't be able to control this problem on the headend with configuration changes -- you could suggest the user try with a static IP.

The keepalives you are seeing may be nat keepalives set with the "crypto isakmp nat-traversal" command.

-heather

harthartster09 · ‎11-10-2009

The IP address doesn't change. I checked and I even configured a static one.

The keepalives I saw are from "isakmp keepalive threshold 60 retry 10" but with the wrong timing (sending them every 10 seconds). If I do the "isakmp keepalive disable" then ASA doesn't do any keepalives.

btw, my "crypto isakmp nat-traversal" is 35