VPN client dropped after 19hours and 14 min...

Unanswered Question
May 20th, 2010

Hi,

I have a strange issue concerning the VPN IPSec client.

After 19 hours and 14 min (sometime it's around 19hours and 27min), the VPN client is disconnected.

It has nothing to do with the station, I've tried it on 4 differents stations / operating systems and on different DSL lines too.

All clients use the latest version available for his OS.

The VPN gateway is a Cisco 1812, providing lan-2-lan VPNs and also some remote client VPN access.

I attached the log file of one client which fails.

Here is the configuration of the VPN router:

crypto isakmp client configuration group mmrouter002
key ###################
domain xxxxxxxxxxx.com
pool POOL_VPN
acl 128
!

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
crypto isakmp nat keepalive 20

!

crypto isakmp profile mmrouter002
   match identity group mmrouter002
   client authentication list userauth
   isakmp authorization list groupauth
   client configuration address respond

!

crypto ipsec transform-set vpnuser_trans esp-3des esp-md5-hmac

!

crypto dynamic-map mydynamicmap 180
set transform-set vpnuser_trans
set isakmp-profile mmrouter002
reverse-route

!

access-list 128 permit ip 192.168.230.0 0.0.0.255 10.50.10.0 0.0.0.255

10.50.10.0/24 is the pool for vpn client

192.168.230.0/24 is the subnet they can reach.

Does anybody has an idea what could be wrong ?? I precise that everything works fine, until the VPN is dropped.

Thanks in advance,

Olivier

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
olivier.jessel Fri, 05/21/2010 - 07:49

Hi,

After studying the log file and making some reseach, it seems the problem occurs when Phase 1 is trying to renew the key...

Normally, I have a 24 hours lifetime, but I don't know why it happens 5 hours before... anyway, does anybody knows what could be a reason why the IKE Phase key renewing process could fail ?

Thanks in advance for any tip ;-)

Olivier

Todd Pula Fri, 05/21/2010 - 13:34

What version of OSX are you running and do you see the same disconnects from a Windows host?  Simultaneous debugs from the router and the VPN client while the problem is replicated will be needed to isolate further.  The client initatiates the delete to the router at 195.243.171.112 but the peer sends back a notify message indicating no proposal chosen.

olivier.jessel Tue, 05/25/2010 - 00:26

Hi,

After spending hours on reading logs and debugging isakmp, I finally decrease all lifetime settings to find out why the Phase 1 renewing key fails...

Guess what: when the ISAKMP lifetime is approaching to expire, the VPN client is prompted to enter credentials again !

On IOS router, I haven't found the command to disable re-xauth as it exists on ASA or VPN concentrators. The only solution I've found it to allow the client to save the password !! But I don't like such solution

Does anyone knows how to to do this ? Router is 1812, version 12.4.24T2 adv-enterprise.

Thans again for reading my post  ;-)

Olivier

Actions

This Discussion