Consider these options for the termination for the VPN Client. If the VPN Client is located behind a device that performs Network Address Translation (NAT)/Port Address Translation (PAT), make sure that the translation does not timeout for the VPN Client.
Make sure the IKE keepalives are enabled. In some situations, it is necessary to disable this feature in order to solve the problem, for example, if the VPN Client is behind a Firewall that prevents DPD packets. In order to disable the IKE keepalives, complete these steps
Choose Configuration > User Management > Groups. Choose a VPN Client group that you work with, and click Modify. On the IPSec tab, uncheck the IKE Keepalives box. Check the timeout settings on the VPN Concentrator and on the VPN Client. The timeout settings are found on the General tabs of the base group, group, and user settings. Choose Configuration > User Management.