×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VPN Client to PIX

Unanswered Question
Aug 13th, 2002
User Badges:

Does anyone know if there is a problem with long term vpn connection to the PIX with the vpn client. Users can stay connected (over dsl or cable) for a few hours then get bumped. Also at what interval do the reapers messages get sent out, and how many can you miss before the tunnel is torn down.



Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
awaheed Tue, 08/20/2002 - 13:41
User Badges:
  • Cisco Employee,

Hi,


I think it might just be a case of the clients going past the idle timeout value, you can set this on the PIX configuration for them not to timeout by setting the value to 0. Additionally anything above v6.x on the PIX will have the DPD messages between the two sides, and missing 5 DPD's will cuase the connection to be terminated.


Hope this helps,

Regards,

Aamir


-=-

I'm not sure this is your exact problem but it may help. I found this in the Release Notes for Cisco VPN Client for Windows release 3.5.1 page 9.

Just do a Find File on *.pfc to do find the file mentioned below.


Allowing the VPN Client to Work Through ESP-Aware NAT/Firewalls

When using the VPN Client behind an ESP-aware NAT/Firewall, the port on the

NAT/Firewall device may be closed due to the VPN Client’s keepalive

implementation, called DPD (Dead Peer Detection). When a Client is idle, it does

not send a keepalive until it sends data and gets no response.

To allow the VPN Client to work through ESP-aware NAT/Firewalls, add the

following parameter and setting to the [Main] section of any *.pcf (profile

configuration file) for the affected connection profile.

ForceKeepAlives=1

This parameter enables IKE and ESP keepalives for the connection at

approximately 20 second intervals.

For more information, see “Connection Profile Configuration Parameters” in the

VPN Client Administrator Guide.

chlovell Tue, 09/10/2002 - 09:40
User Badges:

on the client machine do a search for *.pcf and bring up that file and at the bottom where it says forcekeepalives set that to 1 and then when you have the client vpn dialer up go to options and properties and set the peer response timeout to 480

Actions

This Discussion