Orphaned entries in show crypto session summary output
we use a Cisco 2811 with IOS-Version 12.4(3a) and the Cisco VPN-Client Ver. 4.8.01 to connect our roadwarriors to our company network. Sometimes we have the folowing problem:
Maybe due to underlying network connection problems(umts-/gprs-interruption) the client disconnects, but nevertheless the output of the "show crypto session groups"-command displays one connection for this user. (We configured one group for every user.) But the "show crypto session detail"-command delivers no information about this client e.g. ip-adress. The User is not able to log in until an unspecified amount of time.
We configured the dead peer detection to solve the problem:
crypto isakmp keepalive 60 periodic
and the output of "debug crypto isakmp" attest that dpd works. But there are no "DPD/R_U_THERE"-messages between the client and the gateway. Everythings looks like the client isn't connected anymore besides the output of "show crypto session groups".
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...