I am using IPSec VPN client v. 5.0.06.0110. The issue I am having is that clients would lose their VPN connection, because of some wireless issues at their home. They have laptops and use wireless to connect to VPN. Wireless is not always stable and this causes to lose VPN connectivity.
I tried to increase keepalives timers for the tunnel, hoping this would make tunnel to be more tolerant for client unavailability but with no luck. By looking at the ASA logs, I can see that ASA sends the keepalives every 10 seconds with 2 seconds retry, even if I set isakmp keepalive threshold 60 retry 10.
The VPN connection will drop if the address assigned to the physical wireless adapter is changing. Set the VPN client logs to level 3-high all during the disconnect and then examine them to see if you see "adapter address changed" messages or something similar. If you do, you won't be able to control this problem on the headend with configuration changes -- you could suggest the user try with a static IP.
The keepalives you are seeing may be nat keepalives set with the "crypto isakmp nat-traversal" command.
The IP address doesn't change. I checked and I even configured a static one.
The keepalives I saw are from "isakmp keepalive threshold 60 retry 10" but with the wrong timing (sending them every 10 seconds). If I do the "isakmp keepalive disable" then ASA doesn't do any keepalives.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...