Cisco VPN client keeps disconnecting even the tunnel is in use

Unanswered Question
Jul 13th, 2010
User Badges:

Hi there,


I meet a problem that the vpn client keeps disconnectiong and need to reauthenticate. Sometimes it disconnected after the vpn client is connect to ASA for 5 minutes, sometimes it's 20 minutes. But the worst thing is, even the client is using the tunnel, it disconnected.. With continus ping, it disconnected.


In the group policy, the vpn-idle-timeout is set to 45. And isakmp keepalive threhold is 300s. Does anybody aware of this problem?

Any suggestion are appreciate.




Thanks,


Victor

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marcin Latosiewicz Wed, 07/14/2010 - 14:03
User Badges:
  • Cisco Employee,

Victor,


Can you share the ASA and VPNclient versions? No guarantees but I can do a bit of digging in our internal database.

If you can also attach ASA config (show run crypto, show run tunnel-g, show run group-p) it would be helpful.


Nothing will substitute debugs at the time of disconnect.


Marcin

spidermanchar Wed, 07/14/2010 - 19:09
User Badges:

Please check:


Version:

Server: Cisco Adaptive Security Appliance Software Version 7.2(4)

Client:  vpnclient-win-is-5.0.00.0340-k9-bundle


sh run crypto:
crypto ipsec transform-set VpnSet esp-3des esp-sha-hmac


crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 512000
crypto dynamic-map VpnMap 10 match address DynVpnAcl
crypto dynamic-map VpnMap 10 set transform-set VpnSet
crypto map DBmap 10 ipsec-isakmp dynamic VpnMap
crypto map DBmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 15
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400



sh run tunnel-g:

tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 30 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 30 retry 2
tunnel-group TerminalServices type ipsec-ra
tunnel-group TerminalServices general-attributes
address-pool dhcpTerminal
default-group-policy TerminalServices
tunnel-group TerminalServices ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 30 retry 2


tunnel-group TerminalServicesC type ipsec-ra
tunnel-group TerminalServicesC general-attributes
address-pool dhcpTerminal
default-group-policy TerminalServices
tunnel-group TerminalServicesC ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 30 retry 2


tunnel-group TS_group type ipsec-ra
tunnel-group TS_group general-attributes
address-pool TS_users_pool
authentication-server-group RADIUS
default-group-policy TS_group
tunnel-group TS_group ipsec-attributes
pre-shared-key *


sh run group-p:
group-policy TerminalServices internal
group-policy TerminalServices attributes
dns-server value
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnelACL
default-domain value
secure-unit-authentication enable
user-authentication enable
group-policy TS_group internal
group-policy TS_group attributes
banner value
dns-server value
vpn-idle-timeout 45
vpn-filter value TS_vpn_users
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall
default-domain value


The cilents are using the TS_group. Could you tell me how to debug the vpn client seesions? It appears debug crypto isakmp and debug crypto crypto ipsec both not working for this.


PS: I understand that group-policy can be inherited. Normally, only the value from cisco default policy would be inherited to customized policies?



Thanks,


Victor

Marcin Latosiewicz Thu, 07/15/2010 - 01:44
User Badges:
  • Cisco Employee,

Victor,


Yes, by default group-policy inherits on default policy and RA tunnel-groups inherit from default RA tunnels group.


If there are not debugs on ASA it's very strange, but maybe check if you're not running "debug crypto cond ..." from some other time? (You can do "debug crypto cond reset")


Re client debugs:

In client GUI -> Log -> Logging setting -> set everythign to "3". -> "OK" it.

Restart the client.


Logging should be enable on client side.


Marcin

spidermanchar Fri, 07/16/2010 - 01:24
User Badges:

Marcin,


So there seems no wrong on the confuguration? I just got another report that one user was kick out when he was using the tunnel. But haven't got chance to do debug yet.




Thanks,


Victor

Marcin Latosiewicz Fri, 07/16/2010 - 01:34
User Badges:
  • Cisco Employee,

Victor,


There's nothing wrong with the config that I see.

There may be some interactions with radius for example (max users setting or similar) :-)


Debug on ASA and logs from client are minimum to move forward. I will be out of office for two weeks so I might not be able to provide much input ;[

spidermanchar Fri, 07/16/2010 - 02:09
User Badges:

Marcin,


I got some debug infor on ASA, but the user forgot to enable logging on the client....


Jul 16 2010 16:59:31: %ASA-5-713050: Group = TS_group, Username = xxxx, IP = 15.15.15.15, Connection terminated for peer xxxxx.  Reason: Peer Terminate  Remote Proxy 192.168.250.4, Local Proxy 0.0.0.0
Jul 16 2010 16:59:32: %ASA-4-113019: Group = TS_group, Username = xxxx, IP = 15.15.15.15, Session disconnected. Session Type: IPSec, Duration: 0h:18m:35s, Bytes xmt: 208331, Bytes rcv: 1696143, Reason: User Requested


The whole seesion established for about 18 minutes and the idle time is less than 5 min, then it's disconnect.




Regards,


Victor

Marcin Latosiewicz Fri, 07/16/2010 - 02:13
User Badges:
  • Cisco Employee,

Victor,


OK, so we know that disconnect comes from client "Reason: Peer Terminate". (The root cause might not be on client)


Looks to me like something in the way DPDs operate.


Will a user get disconnected if you run continous ping via tunnel?


Marcin

spidermanchar Fri, 07/16/2010 - 02:18
User Badges:

Yes, even with continus ping, it disconnected. But I only allow RDP and DNS traffic for the tunnel, should this affect?



rgs,


Victor

Actions

This Discussion