cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1445
Views
0
Helpful
7
Replies

PIX 7.2(1)23, VPN Drops unless continous pings.

mcroft
Level 1
Level 1

Hi,

All of a sudden, my users are complaining of their VPN connection dropping out after 10-15 mins of no use.

I have tested and sure enough it drops off.

However, if I ping an inside IP address (-t), it stays connected just fine.

I am using default settings with no special timeouts/keepalive settings.

Uhmmm

I'm stumped,

Any help appreciated.

thanks

Matt

7 Replies 7

rakshit.jethva
Level 1
Level 1

Hi,

Provide the Firewall Wall configuration which can help us to understand what has been configured.

Also let us know whether the issue started from the day users started to use VPN or it was suddenly (after any configuration change at your end)

have a nice day.

Have a look at this:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#idle

Also enable keepalives incase they are turned off, e.g:

crypto isakmp keepalive 20

Regards

Farrukh

Hi,

thanks for the respose, the more I look into this the crazyier the problem.

I don't think its anything to do with idle/session time out because I have set that to over a couple of hours. It's very weired, it only happens on 3 users, the rest (7 users) are okay.

Config

--------------------------------------

group-policy DfltGrpPolicy attributes

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 15

vpn-idle-timeout 120

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec l2tp-ipsec

group-policy clientgroup attributes

vpn-idle-timeout 240

-------------------------------

Here,s some debug from the PIX and from the client:

PIX# VPN-SESSION_DB in SESS_Mgmt_DeleteEntryInt: Account stop failure

PIX# VPN-SESSION_DB in SESS_Mgmt_AddEntry: Account start failure

------------------------------

client debug:

29 11:06:26.428 10/22/08 Sev=Warning/2 CVPND/0xA3400018

Output size mismatch. Actual: 4, Expected: 225. (DRVIFACE:1868)

30 11:06:26.428 10/22/08 Sev=Warning/3 IKE/0xE3000066

Could not find an IKE SA for ***.***.170.73. KEY_REQ aborted.

31 11:06:26.428 10/22/08 Sev=Warning/2 IKE/0xE300009B

Failed to initiate P2 rekey: Error dectected (Initiate:176)

32 11:06:26.428 10/22/08 Sev=Warning/2 IKE/0xE300009B

Unable to initiate QM (IKE_MAIN:458)

33 11:06:26.805 10/22/08 Sev=Warning/2 CVPND/0xA3400015

Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=10.10.10.193, error 0

34 11:06:27.809 10/22/08 Sev=Warning/2 CVPND/0xA3400015

Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0

35 11:07:08.625 10/22/08 Sev=Warning/2 CVPND/0xE3400013

AddRoute failed to add a route: code 5010

Destination 0.0.0.0

Netmask 0.0.0.0

Gateway 10.10.10.129

Interface 10.10.10.193

36 11:07:08.625 10/22/08 Sev=Warning/2 CM/0xA3100024

Unable to add route. Network: 0, Netmask: 0, Interface: a0a32c1, Gateway: a0a3281.

Is there a common OS like XP or 2k common on these clients?

I think there are some bugs in both OS pertaining to routes not being added to the routing table. It would be nice to try another VPN client version. Try toggling the 'deterministic network enhancer' ON/OFF. Its under the NIC protocols.

Regards

Farrukh

Hi,

Nope, some use XP and some use Vista.

I have had them upgrade to the latest Cisco VPN Client. (and toggle the Network Enhancer too)

NO difference.

VPN Drops after 5 Mins. (unless ping -T)

This is too crazy.

Pls help

Matt

Try enabling NAT-traversal on both the VPN client and the firewall

crypto isakmp nat traversal ..

ANd 'check' the UDP encapsulation option (including NAT-T) on the client.

Regards

Farrukh

Try enabling NAT-traversal on both the VPN client and the firewall

crypto isakmp nat traversal ..

ANd 'check' the UDP encapsulation option (including NAT-T) on the client.

Regards

Farrukh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: