Which one should I smash? Iphone or cisco? This kept me busy now over 2 weeks. Clear commands won’t do anything. I have to reset dialer 0 interface to make work. Is there any command to clear interface as soon as client disconnects from vpn? Please help
client seems to stuck when it disconnects aggressively. When i remove local pool and apply it again with the same name the address is STILL in use!!!
The address is still in use even though client have disconnected hours ago:
the problem is indeed that the router only has one ip address in its pool, and when the client does not disconnect gracefully, the router does not realize it is disconnected and so the pool address remains assigned.
Hence the "Could not get address from pool!" in the debugs.
Obviously a quick&dirty workaround is to increase the size of the pool
Other than that, enabling DPD (dead peer detection) should help, try "crypto isakmp keepalive10 2" .
Note: the above command uses the most aggressive DPD timers possible - with just one client this will not be a problem but if you have dozens/hundreds/thousands then you may want to use more relaxed timers or you will kill your CPU.
Edit: just realized you already have " keepalive 10 retry 3" in your isakmp profile so not sure why that is not working... then I realized you're using an iPhone as client, and I'm not sure if the Apple client supports DPD. "debug crypto isakmp" should show this.
Another option may be to set "crypto ipsec security-association idle-time" to a low value.
Yes, i use only one client (iphone) for this profile to connect on my vpn. On a later post i wrote, i used this command "crypto ipsec security-association idle-time" and set it for 2 minutes. I thought that this solved the issue i had until yesterday! The same exact thing happend again!! This time i logged off from easy vpn server normaly and when i tried again i saw the same error message on the debug output!
I noticed from the command "show crypto eli" that my router allows 100 ipsec-sessions. So what i did was to log-in log off 100 times to see if that was the problem. Pathetic i know, took me over 10 mins but i wanted to see why? even though i logged off normaly why i couldn't access vpn server. Thankfully this was not the problem.
So far i don't have a clue! This is very frustrating thus i've spent many hours with no solution. Last night when this happend locked me out from my network over 10 hours until i got back home and reload the router (vpn led was off). There's no other way to get over it.
I have many issues with easy vpn client from iphone but this is the most critical for me so far. Now i've issued the command "crypto ipsec security-association idle-time 120 default" and hopefully it does something.
Finally i don't think giving more space would solve this. IPs get somehow stuck and never released no matter address space i give.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :