5510 remote access VPN stops passing traffic (partially)

holtchristopher · ‎10-06-2013

Hi,

I have a strange problem afflicting all of my remote access vpn users to a 5510. The clients include the windows cisco client (latest version), VPNC for windows, and the built-in OSx client. All seem to be equally impacted.

The tunnels are initiallly established and pass traffic correctly. At some point, they stop allowing new TCP connections or pings. An existing ssh connection is still responsive, but you cannot establish a new one and you cannot ping to an inside host. If you cycle the vpn connection all is well again.

This happens anywhere from twice a week, to 3 times a day. It doesn't seem to correlate with time of day, network load, or remote network. When it happens, there's nothing in the logs on the client or server side to indicate a problem.

This is asa software version 8.4(4)1.

Any suggestions as to what the cause may be? or the best way to track it down?

Thanks,

Chris Holt

XIE YAO · ‎10-06-2013

have you check the log on asa when this happen?

logging on

logging buffered 7

holtchristopher · ‎10-10-2013

I've turned on logging to capture to a syslog server not at level 7. I've also managed to correlate the problem to the logout of another VPN session from (the same or a different) user behind the same NAT device (netgear wifi router/cable modem in this case, although it can vary).

So my reproducible failure case is this:

connect 2 clients from behind the same public IP.

they both work fine.

disconnect 1 of them.

the other will be able to maintain any existing TCP connection through the VPN but not establish new ones.

now for the really wierd part:

if i reconnect the second client, then my first client is suddenly fixed!

i do have "crypto isakmp nat-traversal 20" in my config. That was the most common answer I found regarding problems with multiple vpn users behind the same nat.

Any suggestions?