cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10160
Views
10
Helpful
15
Replies

VPN Client to ASA - Connection disconnects with Reason 412 or 433

karim
Level 1
Level 1

Hi,

Connecting to ASA 5505 (VPN server) via a remote VPN Client (Ver. 5.0.07.0440).  Connecting works fine with no issues, however when no traffic is sent or received over the tunnel the connection disconnects with the message:  Secure VPN Connection terminated by Peer.  Reason 412 (Reason Not Specified by Peer).  Everytime it disconnects at the 1min 38sec point.  To try to resolve this issue, I check the VPN Client > Properties for the Connection Entry > Transport tab > and the 'Peer response timeout (seconds): was set to 90 seconds.  I changed the seconds from 90 to the maximum 480 seconds and this improved things - now the connection disconnects at the 8min 8sec point.

These remote VPN connections are used for remote workers and sometime the connection stay idle for longer than 8 minutes.  Does anyone know how set it up so that the Peer response timeout is disabled.

Thanks

K

15 Replies 15

You could try to command vpn-idle-timeout 30 This will set the timeout to 30 minutes.

http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/uz.html#wp1563118

Please rate all helpful posts.


--
Please remember to select a correct answer and rate helpful posts

Hi Marius,

Thanks. 

I did enter the command 'vpn-idle-timeout 30' but the client VPN connection still terminates with the same message and at the 480 second mark.

I also made sure the vpn-session-timeout none was set to disable the timeout.

Not sure why client VPN connection is disconnecting.  I'm looking at the following commands to see if they are causing this issue:

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

Thanks for helping me

K

Hmm ok, please remove the vpn-session-timeout command

no vpn-session-timeout 30

Are you using a RADIUS server or TACACS+ server to authenticate users?  if so have you checked the timeout on this server?

--
Please remember to select a correct answer and rate helpful posts

I removed the 'no vpn-session-timeout 30' command.  Same disconnect issue and message Reason 433.

No I am not using a RADIUS or TACACS+ server.  I am using local database to authenticate users.

Keep in mind that the RADIUS / TACAC+ timeout will overide the locally configured timeout on the ASA. (if you are using an authentication server that is)

--
Please remember to select a correct answer and rate helpful posts

sahseth
Level 1
Level 1

Hello,

Please try using vpn-session-timeout none command:

vpn-session-timeout

To configure a maximum amount of time allowed for VPN connections, use the vpn-session-timeout command  in group-policy configuration mode or in username configuration mode.  At the end of this period of time, the security appliance terminates the  connection.

To remove the attribute from the running configuration, use the no form of this command. This option allows inheritance of a time-out  value from another group policy. To prevent inheriting a value, use the vpn-session-timeout none command.

vpn-session-timeout {minutes | none}

no vpn-session-timeout

Thanks,

Hi Sahil,

I tried and am now using the 'vpn-session-timeout none' command as follows:

group-policy VPNclientTW attributes

  dns-server value 8.8.8.8 4.2.2.1

  vpn-idle-timeout none

  vpn-session-timeout none

  vpn-tunnel-protocol IPSec

Same issue ...Reason 433: (Reason Not Specified by Peer)

Add the following command under the tunnel-group (where x.x.x.x is the IP/name of the tunnel-group)

tunnel-group x.x.x.x general-attributes

  default-group-policy NO-TIMER

If that doesn't help, here is a very good vpn troubleshooting guide.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#vpnconn

--

Please rate all helpful posts

--
Please remember to select a correct answer and rate helpful posts

Do you happen to have an additional firewall or NAT'ing device between ASA and the client? There could be a session timeout when there is no traffic.

Check the Statistics on client. Is the connection UDP encapsulated?

Hi Peter,

There is no other firewall and NAT is not the issue.

Hi Marius,

I checked the default-group-policy NO-TIMER...and it is not supported on the ASA we have installed.

Please connect to the VPN and while the PC is connected issue the following command onthe ASA and post it here.

sh vpn-sessiondb detail remote

Which ASA version are you running?

Have you tried to disable threat detection to see if that solves the issue (threat detection can cause a lot of overhead on the ASA process)?

no threat-detection basic-threat

no threat-detection scanning-threat shun

no threat-detection statistics

no threat-detection rate

--

Please rate all helpful posts and select correct answer

--
Please remember to select a correct answer and rate helpful posts

I tried to disable threat detection and that did not resolve the issue.

As requested, I connected to the VPN and while connected, the following is the sh vpn-sessiondb detail remote:

asa# show vpn-sessiondb detail remote

Session Type: IPsec Detailed

Username     : user9                  Index        : 48
Assigned IP  : 10.168.0.12            Public IP    : 55.55.55.55
Protocol     : IKE IPsecOverNatT
License      : IPsec
Encryption   : 3DES AES128            Hashing      : SHA1
Bytes Tx     : 0                      Bytes Rx     : 212
Pkts Tx      : 0                      Pkts Rx      : 2
Pkts Tx Drop : 0                      Pkts Rx Drop : 0
Group Policy : VPNClientSW            Tunnel Group : VPNClientSW2
Login Time   : 22:48:44 UTC Thu Sep 4 2008
Duration     : 0h:00m:27s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

IKE Tunnels: 1
IPsecOverNatT Tunnels: 1

IKE:
  Tunnel ID    : 48.1
  UDP Src Port : 65008                  UDP Dst Port : 4500
  IKE Neg Mode : Aggressive             Auth Mode    : preSharedKeys
  Encryption   : 3DES                   Hashing      : SHA1
  Rekey Int (T): 86400 Seconds          Rekey Left(T): 86379 Seconds
  D/H Group    : 2
  Filter Name  :
  Client OS    : WinNT                  Client OS Ver: 5.0.07.0440

IPsecOverNatT:
  Tunnel ID    : 48.2
  Local Addr   : 0.0.0.0/0.0.0.0/0/0
  Remote Addr  : 10.168.0.12/255.255.255.255/0/0
  Encryption   : AES128                 Hashing      : SHA1
  Encapsulation: Tunnel
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28778 Seconds
  Idle Time Out: 0 Minutes              Idle TO Left : 0 Minutes
  Bytes Tx     : 0                      Bytes Rx     : 212
  Pkts Tx      : 0                      Pkts Rx      : 2

NAC:
  Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
  SQ Int (T)   : 0 Seconds              EoU Age(T)   : 22 Seconds
  Hold Left (T): 0 Seconds              Posture Token:
  Redirect URL :

asa#

I am starting to think you are hitting a bug.  What ASA version are you running?

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: