I have a strange problem afflicting all of my remote access vpn users to a 5510. The clients include the windows cisco client (latest version), VPNC for windows, and the built-in OSx client. All seem to be equally impacted.
The tunnels are initiallly established and pass traffic correctly. At some point, they stop allowing new TCP connections or pings. An existing ssh connection is still responsive, but you cannot establish a new one and you cannot ping to an inside host. If you cycle the vpn connection all is well again.
This happens anywhere from twice a week, to 3 times a day. It doesn't seem to correlate with time of day, network load, or remote network. When it happens, there's nothing in the logs on the client or server side to indicate a problem.
This is asa software version 8.4(4)1.
Any suggestions as to what the cause may be? or the best way to track it down?
I've turned on logging to capture to a syslog server not at level 7. I've also managed to correlate the problem to the logout of another VPN session from (the same or a different) user behind the same NAT device (netgear wifi router/cable modem in this case, although it can vary).
So my reproducible failure case is this:
connect 2 clients from behind the same public IP.
they both work fine.
disconnect 1 of them.
the other will be able to maintain any existing TCP connection through the VPN but not establish new ones.
now for the really wierd part:
if i reconnect the second client, then my first client is suddenly fixed!
i do have "crypto isakmp nat-traversal 20" in my config. That was the most common answer I found regarding problems with multiple vpn users behind the same nat.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :