11-09-2009 11:01 PM - edited 02-21-2020 03:47 AM
Hi,
Head end - ASA 5510 8.0(4)28
I am using IPSec VPN client v. 5.0.06.0110. The issue I am having is that clients would lose their VPN connection, because of some wireless issues at their home. They have laptops and use wireless to connect to VPN. Wireless is not always stable and this causes to lose VPN connectivity.
I tried to increase keepalives timers for the tunnel, hoping this would make tunnel to be more tolerant for client unavailability but with no luck. By looking at the ASA logs, I can see that ASA sends the keepalives every 10 seconds with 2 seconds retry, even if I set isakmp keepalive threshold 60 retry 10.
The current configuration of the tunnel:
tunnel-group MYGROUP type remote-access
tunnel-group MYGROUP general-attributes
address-pool MYPOOL
authentication-server-group MYAUTH
default-group-policy MYPOLICY
tunnel-group MYGROUP ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 60 retry 10
Anyone can help me with this?
11-10-2009 08:54 AM
The VPN connection will drop if the address assigned to the physical wireless adapter is changing. Set the VPN client logs to level 3-high all during the disconnect and then examine them to see if you see "adapter address changed" messages or something similar. If you do, you won't be able to control this problem on the headend with configuration changes -- you could suggest the user try with a static IP.
The keepalives you are seeing may be nat keepalives set with the "crypto isakmp nat-traversal" command.
-heather
11-10-2009 01:31 PM
The IP address doesn't change. I checked and I even configured a static one.
The keepalives I saw are from "isakmp keepalive threshold 60 retry 10" but with the wrong timing (sending them every 10 seconds). If I do the "isakmp keepalive disable" then ASA doesn't do any keepalives.
btw, my "crypto isakmp nat-traversal" is 35
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: