We are having the same problem with Cisco VPN Client 3.5.2 and VPN 3005 3.5.3, even over MTU 1500 fast ethernet connections with just a router between the client and the gateway. It has happened only once over a dialup connection, but happens regularly over home broadband and faster connections.
We've tried connections both with and without TCP port 10000 tunnelling, and with and without Force Keepalives in the .pcf file. The failure rate seems to increase if the Stateful Firewall Always On is enabled, but disabling it doesn't eliminate the problem.
From the packet dumps and client logs I have, it appears that the client built-in firewall passes port 500 (IKE) keepalives for a while, then blocks a single one. From that point onward, the client sends keepalives regularly, but they never leave the client machine. All other traffic (e.g. ICMP) continues unaffected. Since the client thinks it has sent keepalives, but receives no keepalive responses, it concludes after a while that the connection has timed out and it destroys the SA.
Sometimes the client can reconnect, but often it fails to start the negotiation and throws the "remote peer is no longer responding" error. Restarting the client network interface (or rebooting) seems to reset the client firewall, permitting new connections to be established.
Simultaneously, other clients are able to connect to the gateway with no problems.
I haven't seen anything else on the Cisco site regarding this. Does anyone else have any more info?
