Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

RA VPN Client Disconnect

Hi,

We have configured remote access VPN in our ASA5540. (ASA Ver. 7.2(2). We have 3 VPN groups setups. Sometime any users belongs to any of these groups diconnect after 05-06 seconds once they connected. Once I re-start the ASA all users are able stay connected but again it happens after 1-2 days.

Please advise me what causes VPN users to disconnect immediately when they loged-in.

thanks

3 REPLIES
Cisco Employee

Re: RA VPN Client Disconnect

Hello - Here are couple of questions.

a. What is the XAUTH method you are using. LOCAL or RADIUS?

b. Can you run debugs on the ASA "deb cry isa 200" & " deb cry ipsec 200" when this problem happens and collect the logs.

c. Do you have DPD's enabled on the tunnel-group to which the user is authenticating with.

d. Can you please enable client logs to High and collect them at the same time when you collect the debugs from the ASA.

Thanks

Gilbert

New Member

Re: RA VPN Client Disconnect

Hi Gilbert,

thanks for the reply.

a. XAUTH is local

b. Here is the debug output

PSEC WARNING: outbound SA deletion retry, SPI: 0x674BFED9, user: ql-vpn, peer: 213.130.104.14

IPSEC WARNING: inbound SA deletion retry, SPI: 0xE93CDFE7, user: citrixuser, peer: 213.130.104.242

IPSEC WARNING: outbound SA deletion retry, SPI: 0x43F52957, user: citrixuser, peer: 213.130.104.242

IPSEC WARNING: inbound SA deletion retry, SPI: 0x211CAAB9, user: ajith, peer: 80.231.135.27

IPSEC WARNING: outbound SA deletion retry, SPI: 0x54E3A4DE, user: ajith, peer: 80.231.135.27

IPSEC WARNING: inbound SA deletion retry, SPI: 0xAEB8DD28, user: vishwesh, peer: 78.101.229.12

IPSEC WARNING: outbound SA deletion retry, SPI: 0x6451A342, user: vishwesh, peer: 78.101.229.12

IPSEC WARNING: inbound SA deletion retry, SPI: 0x70E6CA13, user: ajith, peer: 80.231.135.27

IPSEC WARNING: outbound SA deletion retry, SPI: 0x9DEC885F, user: ajith, peer: 80.231.135.27

IPSEC WARNING: outbound SA deletion retry, SPI: 0xDE80BA63, user: srihari, peer: 78.101.240.94

c.what is PDP and how to check whether it's enabled?.

any suggestion?

Re: RA VPN Client Disconnect

if you want to know the causes open service request with CiscoTac.

But before doing this you can try to change the software on ASA.

326
Views
0
Helpful
3
Replies
CreatePlease to create content