Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

L2TP Remote Access disconnects after a few hours.

Have a few users on Vista/7 using Windows L2TP to connect to our ASA5510. It is reported that after a few hours the connection drops. From what I have seen this can be anywhere around 5-6 hours. Of course my connection will drop after an amount of time has passed and no traffic has passed the tunnel. But the users are adament that this drops during large transfers; i.e. not a timeout issue.

Before I spend anymore time on this I just want to know if this is normal behavior for a remote access L2TP using Windows to disconnect on it's own after this amount of time. Never had a reason myself to remain connected that long, and when I did I used a site 2 site tunnel.

2 REPLIES
New Member

Re: L2TP Remote Access disconnects after a few hours.

Below is a sample log of the time when disconnects occur, I highlighted in bold the problem area.

vpn-7-715046: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, constructing IPSec SA payload

vpn-7-715046: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, constructing IPSec nonce payload

vpn-7-715001: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, constructing proxy ID

vpn-7-713906: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, Transmitting Proxy Id:   Remote host: 76.17.XX.XX  Protocol 17  Port 0   Local host:  216.XX.XXX.XXX  Protocol 17  Port 1701

vpn-7-715046: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, constructing NAT-Original-Address payload

vpn-7-713171: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, NAT-Traversal sending NAT-Original-Address payload

vpn-7-715046: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, constructing qm hash payload

vpn-7-714005: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, IKE Responder sending 2nd QM pkt: msg id = 00000017

vpn-7-713236: IP = 76.17.XX.XX, IKE_DECODE SENDING Message (msgid=17) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NAT-OA (131) + NONE (0) total length : 172

vpn-7-713236: IP = 76.17.XX.XX, IKE_DECODE RECEIVED Message (msgid=958052a1) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68

vpn-7-715047: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, processing hash payload

vpn-7-713906: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, processing delete

vpn-7-713170: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, IKE Received delete for rekeyed centry  IKE peer: 76.17.XX.XX, centry addr: ad03bb38, msgid: 0x00000016

vpn-7-713906: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, L2TP/IPSec: Ignoring delete to a rekeyed centry (msgid=16)

vpn-7-713236: IP = 76.17.XX.XX, IKE_DECODE RECEIVED Message (msgid=17) with payloads : HDR + HASH (8) + NONE (0) total length : 52

vpn-7-715047: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, processing hash payload

vpn-7-713906: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, loading all IPSEC SAs

vpn-7-715001: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, Generating Quick Mode Key!

vpn-7-715001: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, Generating Quick Mode Key!

vpn-5-713049: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, Security negotiation complete for User (sam5510)  Responder, Inbound SPI = 0xc8ed80c2, Outbound SPI = 0xe007e1fd

vpn-6-602303: IPSEC: An outbound remote access SA (SPI= 0xE007E1FD) between 216.XX.XXX.XXX and 76.17.XX.XX (user= sam5510) has been created.

vpn-7-715007: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, IKE got a KEY_ADD msg for SA: SPI = 0xe007e1fd

vpn-6-602303: IPSEC: An inbound remote access SA (SPI= 0xC8ED80C2) between 216.XX.XXX.XXX and 76.17.XX.XX (user= sam5510) has been created.

vpn-7-715077: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, Pitcher: received KEY_UPDATE, spi 0xc8ed80c2

vpn-7-715080: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, Starting P2 rekey timer: 3420 seconds.

vpn-5-713120: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, PHASE 2 COMPLETED (msgid=00000017)

vpn-7-713906: IKEQM_Active() Add L2TP classification rules: ip <76.17.XX.XX> mask <0xFFFFFFFF> port <4500>

vpn-7-715077: Pitcher: received KEY_SA_ACTIVE, spi 0xc8ed80c2

vpn-7-713906: KEY_SA_ACTIVE old rekey centry found with new spi 0xc8ed80c2

vpn-7-713906: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, sending delete/delete with reason message

vpn-7-715046: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, constructing blank hash payload

vpn-7-715046: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, constructing IPSec delete payload

vpn-7-715046: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, constructing qm hash payload

vpn-7-713236: IP = 76.17.XX.XX, IKE_DECODE SENDING Message (msgid=d84b3b70) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68

vpn-7-713906: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, Active unit activates new SA for remote peer 76.17.XX.XX.

vpn-7-715009: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, IKE Deleting SA: Remote Proxy 76.17.XX.XX, Local Proxy 216.XX.XXX.XXX

vpn-6-602304: IPSEC: An outbound remote access SA (SPI= 0xFD65F940) between 216.XX.XXX.XXX and 76.17.XX.XX (user= sam5510) has been deleted.

vpn-6-602304: IPSEC: An inbound remote access SA (SPI= 0xB2891595) between 216.XX.XXX.XXX and 76.17.XX.XX (user= sam5510) has been deleted.

vpn-7-715077: Pitcher: received key delete msg, spi 0xb2891595

vpn-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from 76.17.XX.XX:4500

New Member

L2TP Remote Access disconnects after a few hours.

I too am having this issue.  Win7 clients connect to an asa 5510 get disconnected after 5-6 hours.  I have an open ticket with cisco and am working on a resolution.  Yesterday it was said by cisco that the l2tp rekey timer was shorter than the ipsec rekey timer.  He reconfigured the timer, which disconnected the 11 people that were connected, but about six hours later the clients disconnected and had trouble reconnecting.  We allowed remote connects from the inside interface and connected a win7 machine and it had remained connected for 18 hours.  I have found that the cisco client will remain connected as long as you want.  The difference in the two connections are the windows client connects as L2TPoverIPSECoverNatT and the cisco client connects with just IPSECoverNatT.   I need to get this resolved one way or another.  I am going to open a case with microsoft this morning.

1306
Views
0
Helpful
2
Replies