We have a large number of sites using Cisco ASA5505 firewalls with the IPSEC (ikev1) client in a very standard setup (just the basic wizard driven config, split tunneling and RADIUS enable). These have always worked well and we never having any problems until the last few weeks. The problem appears to be that the clients just randomly disconnect after a number of minutes, and sometimes this could up to an hour or more. On further investigation it would appear that if there is no traffic over the VPN then the connection drops, even through the idle timeout is set to 30 mins. The fix seems to require the disabling of the McAfee SaaS Firewall service.
We are taking the assumption that the firewall is blocking keep-alive traffic or dead peer detection of some kind, and therefore the client or firewall are assuming disconnection after a short period of no actual traffic (pinging the host network will keep the connection alive).
Recently McAfee updated the SaaS client to version 6 which includes v15 of the firewall service, and it seems to be related.
We are trying to get something out of McAfee to see whats changed, but I wonder if anyone else has experienced this and has found a policy workaround to prevent having to disable the firewall entirely.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...