Have had multiple issues with users getting dropped from the 3030 concentrators. This started happening more frequently once we turned on IKE Keepalives.
We are running VPN Client: 3.6.1
3030 Concentrator code: vpn3000-4.0.1.Rel-k9.bin.
The concentrator is correctly identifying inactive sessions and dropping them but is also appears to identify ACTIVE sessions and dropping those also. Note the duration from the syslog below 16:25. Almost all the drops have session durations less then 25 minutes. Most of the affected users report that they were in the middle of sending a large email/file so they were not sitting idle. Our idle timeout is set to 30 minutes
The message 'IKE lost contact with remote peer, deleting connection' tells you that the connection was dropped since the client did not send the "Are You There Message?" which it is meant to do every few seconds. In other words, the DPD (dead peer detection) packets might not be getting through at all or might not be getting through in time. On not getting a response, the client sends a DPD every 5 seconds until the client reaches its max response timeout. After this, the connection is dropped. The way out is to change the max response timeout from default to it's max value of 480 (from vpn dialer go to Options/Properties). That might just solve the problem.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...