Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Client Disconnects. IKE or No IKE?

Have had multiple issues with users getting dropped from the 3030 concentrators. This started happening more frequently once we turned on IKE Keepalives.

We are running VPN Client: 3.6.1

3030 Concentrator code: vpn3000-4.0.1.Rel-k9.bin.

The concentrator is correctly identifying inactive sessions and dropping them but is also appears to identify ACTIVE sessions and dropping those also. Note the duration from the syslog below 16:25. Almost all the drops have session durations less then 25 minutes. Most of the affected users report that they were in the middle of sending a large email/file so they were not sitting idle. Our idle timeout is set to 30 minutes

8275 06/25/2003 09:35:59.390 SEV=4 IKE/123 RPT=972 198.170.188.244

Group [FLD-BB] User [Tyler Durden]

IKE lost contact with remote peer, deleting connection (keepalive type: DPD)

8277 06/25/2003 09:35:59.400 SEV=4 AUTH/28 RPT=6973 198.170.188.244

User [Tyler Durden], Group [FLD-BB] disconnected:

Duration: 0:16:26

Bytes xmt: 3614080

Bytes rcv: 1619832

Reason: Lost Service

I have created copy of the same group we are using above except IKE Keepalives are turned off. Once I moved a few of the affected users over to that group they were able to stay connected.

Has anyone else experienced this type of problem?

I've also read about using the

ForceKeepAlives=1 in the client PCF file. Any thoughts?

1 REPLY
Silver

Re: VPN Client Disconnects. IKE or No IKE?

The message 'IKE lost contact with remote peer, deleting connection' tells you that the connection was dropped since the client did not send the "Are You There Message?" which it is meant to do every few seconds. In other words, the DPD (dead peer detection) packets might not be getting through at all or might not be getting through in time. On not getting a response, the client sends a DPD every 5 seconds until the client reaches its max response timeout. After this, the connection is dropped. The way out is to change the max response timeout from default to it's max value of 480 (from vpn dialer go to Options/Properties). That might just solve the problem.

212
Views
0
Helpful
1
Replies