Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Cisco VPN Drops when Idle

Cisco VPN Client 5.0.02.0090

Connectiing to ASA5520

Using NTAuth to authenticate.

The Clients are using Sierra Wireless 595 aircards. Attached is my ASA running config. The tunnel Group PDClient is reporting the intermentent problem. I have also had the problem here and there. The default gateway on the client disappears. I do not see anything on the ASA I see the client as still connected. I push a proxy setting from the ASA so that all traffic comes into our web filtering St.Bernard.

6 REPLIES

Re: Cisco VPN Drops when Idle

Hi Mis

Please try adding the following configuration

no access-list inside_nat0_outbound extended permit ip 10.8.202.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 object-group PDClient

access-list PDClient_Split permit ip 192.168.0.0 255.255.0.0 object-group PDClient

group-policy PDClient attributes

no split-tunnel-policy tunnelall

no split-tunnel-network-list none

split-tunnel-policy tunnelspecified

split-tunnel-network-list PDClient_Split

Regards

Community Member

Re: Cisco VPN Drops when Idle

I did the above and of course it broke some applications going to non 192.168.0.0 /ip's.

So I did add example 10.8.0.0/16 to the permit. Now I am unable to use VNC or even ping from 192.168.1.0 Network.

From the laptop I can ping 192.168.0.0 network. Any ideas

Community Member

Re: Cisco VPN Drops when Idle

Now I can access all my network resources. Windows Firewall was blocking. Sorry. I also had the subnet mask for allowing access to my 10.8 network. I am going to have to wait on reports from the field if they are continuing to drop.

Re: Cisco VPN Drops when Idle

add the non 192.168.0.0 networks in the following lines like

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 object-group PDClient

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.0.0 object-group PDClient

access-list PDClient_Split permit ip 192.168.0.0 255.255.0.0 object-group PDClient

access-list PDClient_Split permit ip 192.168.1.0 255.255.0.0 object-group PDClient

Community Member

Re: Cisco VPN Drops when Idle

I added the group of PDVCSO to the permit. It is working. I am waiting on my field officers to report back to me. I will let you know the outcome. What difference does should it make forcing all traffic like my original config compaired to only the selected traffic when I am forcing everything through the Proxy server?

Re: Cisco VPN Drops when Idle

Your remote clients go to internet through the VPN tunnel to into your web filtering St.Bernard? In this case my solution wont work, I think I confused with another question, above solution is for VPDN clients that lose local network connectivity. I apologize

I assume what you are talking about is "Error 433" and "Error 412 remote peer no longer responding" in VPN clientside that I encountered in another project of mine. I thought this was about idle-timeout and added the following

group-policy policynamehere attributes

vpn-idle-timeout 10080

10080 minutes, pretty good, but no, this is not the issue (I hope you solve yours with just setting the timeout value above). Clients were having trouble with their local net, short disconnects or leakages in internet connectivity, and they were getting disconnected.

First solution that I ve came up with was "Auto-initation".

http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client46/administration/guide/vcAch4.html

That was OK, but when client disconnects, the error was popping up and auto initation would not function untill someone clicks ok to that error. After click OK, tunnel is up again in a few seconds. Maybe running VPN client fully in CLI mode prevent that pop up and that fixes your issue.

If you ask how did I ended up with the project, We asked Checkpoint to modify Secureclient for us to achieve what we want, and we deployed Checkpoint in the end. Cisco did not accept modifying their GUI software

Regards

317
Views
0
Helpful
6
Replies
CreatePlease to create content