ASA VPN with L2TP and Windows 7 disconnects after 6 Hours

Unanswered Question
Dec 10th, 2009
User Badges:

Hello,


I recognized a problem what occurs only with Windows Vista and Windows 7 (not important if 32bit / 64bit). The Clients connects using
L2TP to the ASA 5520 Version 8.05. The VPN tunnels comes up. So far no problem. After exactly 6 hours the session disconnects even if the user is working, whereas the Internet connection is definitely not the problem.

We could reproduce the effect with diferent Windows7 - computers.


At the ASA the connection timeout for VPN sessions is set to unlimited, the ipsec  SA is set to 3600, Maximum connect time: unlimited,

Idle timeout: unlimited.


Does anybody know about that problem? How can it be solved?


It looks that sowmthing with the rekeying isgoing wrong


Nov 27 15:05:49 nderr231.de.festo.net Nov 27 2009 15:05:47 NDERR231 : %ASA-5-713120: Group = L2TPClient, Username = xxx, IP = 217.228.150.247, PHASE 2 COMPLETED (msgid=22d12f94)
Nov 27 15:56:47 nderr231.de.festo.net Nov 27 2009 15:56:47 NDERR231 : %ASA-5-713041: Group = L2TPClient, Username = xxx, IP = 217.228.150.247, IKE Initiator: Rekeying Phase 2, Intf outside, IKE Peer 217.228.150.247  local Proxy Address
141.130.50.231, remote Proxy Address 217.228.150.247,  Crypto map (outside_dyn_map0)
Nov 27 15:56:47 nderr231.de.festo.net Nov 27 2009 15:56:47 NDERR231 : %ASA-5-713049: Group = L2TPClient, Username = xxx, IP = 217.228.150.247, Security negotiation complete for User (xxx)  Responder, Inbound SPI = 0x4010dab1, Outbound S
PI = 0x504cd333
Nov 27 15:56:47 nderr231.de.festo.net Nov 27 2009 15:56:47 NDERR231 : %ASA-5-713120: Group = L2TPClient, Username = xxx, IP = 217.228.150.247, PHASE 2 COMPLETED (msgid=84239f47)
Nov 27 15:59:47 nderr231.de.festo.net Nov 27 2009 15:59:47 NDERR231 : %ASA-5-713041: Username = xxx, IP = 217.228.150.247, IKE Initiator: Rekeying Phase 1, Intf outside, IKE Peer 217.228.150.247  local Proxy Address N/A, remote Proxy Ad
dress N/A,  Crypto map (N/A)
Nov 27 15:59:47 nderr231.de.festo.net Nov 27 2009 15:59:47 NDERR231 : %ASA-5-713119: Group = L2TPClient, Username = xxx, IP = 217.228.150.247, PHASE 1 COMPLETED
Nov 27 15:59:47 nderr231.de.festo.net Nov 27 2009 15:59:47 NDERR231 : %ASA-5-713041: Group = L2TPClient, Username = xxx, IP = 217.228.150.247, IKE Initiator: Rekeying Phase 2, Intf outside, IKE Peer 217.228.150.247  local Proxy Address
141.130.50.231, remote Proxy Address 217.228.150.247,  Crypto map (outside_dyn_map0)
Nov 27 15:59:48 nderr231.de.festo.net Nov 27 2009 15:59:48 NDERR231 : %ASA-5-713049: Group = L2TPClient, Username = xxx, IP = 217.228.150.247, Security negotiation complete for User (xxx)  Initiator, Inbound SPI = 0x726c5fd4, Outbound S
PI = 0xd8a5e48a
Nov 27 15:59:48 nderr231.de.festo.net Nov 27 2009 15:59:48 NDERR231 : %ASA-5-713120: Group = L2TPClient, Username = xxx, IP = 217.228.150.247, PHASE 2 COMPLETED (msgid=cc008b97)
Nov 27 15:59:48 nderr231.de.festo.net Nov 27 2009 15:59:48 NDERR231 : %ASA-5-713050: Group = L2TPClient, Username = xxx, IP = 217.228.150.247, Connection terminated for peer xxx.  Reason: Peer Terminate  Remote Proxy N/A, Local Proxy N/A
Nov 27 15:59:48 nderr231.de.festo.net Nov 27 2009 15:59:48 NDERR231 : %ASA-5-713259: Group = L2TPClient, Username = xxx, IP = 217.228.150.247, Session is being torn down. Reason: L2TP initiated
Nov 27 15:59:48 nderr231.de.festo.net Nov 27 2009 15:59:48 NDERR231 : %ASA-4-113019: Group = L2TPClient, Username = xxx, IP = 217.228.150.247, Session disconnected. Session Type: L2TPOverIPsecOverNatT, Duration: 6h:00m:01s, Bytes xmt: 3
060852, Bytes rcv: 3231213, Reason: L2TP initiated




Thank you in advance for Help

Gerhard

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
muranskycotech Thu, 12/10/2009 - 16:08
User Badges:

It's probably just a keep-alive or time out issue... can you post your config (making sure to replace any public IP's and password strings).

Gerhard.Oettle Thu, 06/05/2014 - 00:08
User Badges:

If I remember correctly the colleagues from the Client Services were in contact with Microsoft support.

The Problem only appeared when the VPN-Profiles for the clients were created by an autemated procedure.

But I don't know the real solution of the problem..

Best Regards

Gerhard

 

 

 

Actions

This Discussion