I have several site-to-site VPNs created with an ASA5520 at my office with Cisco 871s in the field. The remote sites connect through the VPN for email and connecting to a UNIX box using a terminal emulator. In many instances, these IPSEC tunnels terminate at the remote sites across a T1 internet circuit.
Users in the remote sites will lose connectivity to the unix box a few times a day but the VPN remains solid because not all users are kicked off. Only random users and usually those who walk away from their PC to get a product in the warehouse for the customer.
Cisco has had me add a sysopt connection tcpmss command on the ASA and appropriate commands on the routers. However, this did not resolve my issues.
Again, these are IPSEC tunnels and this problem only occurs in some locations. Other locations, with the same VPN configuration, have no problems. It appears to be an issue with certain ISPs only.
Any help would be appreciated. Thanks.
Solved! Go to Solution.
No, this is not an ssh connection. It is a telnet- based connection. And, the client has no timeout setting that can be configured.
Ok, well same difference. Look for a timeout on the server side. The reason I suggest this is because you say it happens when people walk away into the warehouse, therefore leaving an idle session.
Looking for timeouts everywhere was the first thing we did. What compounds the problem is that many locations with tunnels are not affected. Only about 20 out ouf 160 locations have this problem. And, if we move the tunnels to terminate on our VPN3005 concentrator, we have no problem at all. But, we want to use the ASA (support for 750 tunnels).
I had a similar problem with one of our site to site tunnels. I had to increase the SA lifetime from 2 hours to 12 hours and the Telnet sessions seemed to work fine after that. Initially we thought the issue was with session timeouts but clearing the tunnel always fixed it.
hope this helps.
I don't see where this can be configured on my router or on my ASA. If it is an IKE configuration, that command doesn't seem to be available on my Cisco 871 router.
crypto map outside_map 60 set security-association lifetime seconds 43200
this command is available on ASA. you can also configure this using the ASDM.
Now that you mention the particular command, this is something that I have tried before without success. I actually ran the time up to 99+ hours. Still, although the tunnel stays up, individual telnet user sessions drop. That remains the problem. All this said, I'll try this command again on a few of my tunnels. I probably won't make the change now until over the weekend.
Good point! I didn't think of that. I'm working an odd shift tomorrow so I'll give that a try early tomorrow morning. Thanks.
FINALLY - This resolved my issue. I've moved several locations that were having problems back to the ASA with the synchronized SA lifetime seconds and I haven't have a complaint is several weeks. Thanks!