I've got a current VPN client 5.0.04.0300 that I can't keep connected on a Vista laptop more than about 3-4 minutes. The same client will stay connected indefinitely on a windows XP box. I've tested turning off both Windows firewall and defender with no change in results.
We're connecting through to an ASA 5505. We've had zero issues with the XP boxes connecting to this for over a year but can't the Vista boxes to hold the connection.
I've attached my log. Any insights would be greatly appreciated. I'm almost to the point of reimaging the laptop down to xp.
Do you have a lifetime on the tunnel? It looks like the client is disconnecting due to the ASA dropping the connection. Make sure that Transparent Tunning is enabled and try changing the tunneling protocol to IPSec over TCP. Leave the TCP port to 10000 and make sure it is enabled on the ASA.
Hi Scott, can you enable debug logging for the VPN client so that I can take a look.
To enable debug logging:
1. Open the VPN client GUI and enable logging.
2. Close the GUI and open vpnclient.ini in the install directory.
3. Change the loglevel for IPSec, IKE and CVPND to 15.
4. Save vpnclient.ini and open the GUI. Attempt to make a connection.
5. Attache the logs and will take a look.
I can do that but I've narrowed the problem. I took the laptop to a local coffee shop and it stayed connected all day.
Back at home, I plugged it directly into the cable modem and it stayed connected but it doesn't when I run it through my linksys wireless router (wired or wireless). I've got a Linksys WRT54G and am wondering if I need to make changes to it to allow this VPN to stay connected. The same router has no problem with a XP laptop but it won't keep the connection with a Windows Vista or 7 laptop.
Any ideas out there? Thanks
Took a look at the logs and I see DPD's are failing. Since it's working outside of your wireless unit and your getting DPD errors you are probably running into the port 500 problem. Older Wireless units to not support Dynamic IKE ports. If I remember correct the change from port 500 to dynamic ike port was made somewhere between 4.8 and 5.0.
The reason we changed is the port 500 is really reserved for a service not a client and this conflicts with the Windows IPSec Service running.
Anyway try this, look for UseLegacyIKEPort in this link: http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client46/administration/guide/vcAch2.html
Go ahead and make the change to your PCF file and try a connection at home, see if that works.
Make sure you also are using NAT-T as your transport and not TCP or UDP.
Alternatively, see if linksys has a firmware update for the wireless router as Netgear, Linksys, d-link etc should have put out something to support dynamic IKE.
Thank you so much for looking at my logs. I tried the last point and updated the firmware on the router and that solved the problem.
Again, thanks very much. I hadn't even thought that it might be a firmware issue.
What is your dpd timer set to? 5 mins is the default I think. You can try and set the timer to something below 60 seconds as the udp time out on the Windows firewall is 60 seconds then closes the connection.