VPN client dropped after 19hours and 14 min...

Unanswered Question
May 20th, 2010
User Badges:


I have a strange issue concerning the VPN IPSec client.

After 19 hours and 14 min (sometime it's around 19hours and 27min), the VPN client is disconnected.

It has nothing to do with the station, I've tried it on 4 differents stations / operating systems and on different DSL lines too.

All clients use the latest version available for his OS.

The VPN gateway is a Cisco 1812, providing lan-2-lan VPNs and also some remote client VPN access.

I attached the log file of one client which fails.

Here is the configuration of the VPN router:

crypto isakmp client configuration group mmrouter002
key ###################
domain xxxxxxxxxxx.com
acl 128

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
crypto isakmp nat keepalive 20


crypto isakmp profile mmrouter002
   match identity group mmrouter002
   client authentication list userauth
   isakmp authorization list groupauth
   client configuration address respond


crypto ipsec transform-set vpnuser_trans esp-3des esp-md5-hmac


crypto dynamic-map mydynamicmap 180
set transform-set vpnuser_trans
set isakmp-profile mmrouter002


access-list 128 permit ip is the pool for vpn client is the subnet they can reach.

Does anybody has an idea what could be wrong ?? I precise that everything works fine, until the VPN is dropped.

Thanks in advance,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
olivier.jessel Fri, 05/21/2010 - 07:49
User Badges:


After studying the log file and making some reseach, it seems the problem occurs when Phase 1 is trying to renew the key...

Normally, I have a 24 hours lifetime, but I don't know why it happens 5 hours before... anyway, does anybody knows what could be a reason why the IKE Phase key renewing process could fail ?

Thanks in advance for any tip ;-)


Todd Pula Fri, 05/21/2010 - 13:34
User Badges:
  • Silver, 250 points or more

What version of OSX are you running and do you see the same disconnects from a Windows host?  Simultaneous debugs from the router and the VPN client while the problem is replicated will be needed to isolate further.  The client initatiates the delete to the router at but the peer sends back a notify message indicating no proposal chosen.

olivier.jessel Tue, 05/25/2010 - 00:26
User Badges:


After spending hours on reading logs and debugging isakmp, I finally decrease all lifetime settings to find out why the Phase 1 renewing key fails...

Guess what: when the ISAKMP lifetime is approaching to expire, the VPN client is prompted to enter credentials again !

On IOS router, I haven't found the command to disable re-xauth as it exists on ASA or VPN concentrators. The only solution I've found it to allow the client to save the password !! But I don't like such solution

Does anyone knows how to to do this ? Router is 1812, version 12.4.24T2 adv-enterprise.

Thans again for reading my post  ;-)



This Discussion