11-13-2013 08:43 AM
Hi,
Connecting to ASA 5505 (VPN server) via a remote VPN Client (Ver. 5.0.07.0440). Connecting works fine with no issues, however when no traffic is sent or received over the tunnel the connection disconnects with the message: Secure VPN Connection terminated by Peer. Reason 412 (Reason Not Specified by Peer). Everytime it disconnects at the 1min 38sec point. To try to resolve this issue, I check the VPN Client > Properties for the Connection Entry > Transport tab > and the 'Peer response timeout (seconds): was set to 90 seconds. I changed the seconds from 90 to the maximum 480 seconds and this improved things - now the connection disconnects at the 8min 8sec point.
These remote VPN connections are used for remote workers and sometime the connection stay idle for longer than 8 minutes. Does anyone know how set it up so that the Peer response timeout is disabled.
Thanks
K
11-16-2013 03:40 PM
You could try to command vpn-idle-timeout 30 This will set the timeout to 30 minutes.
http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/uz.html#wp1563118
Please rate all helpful posts.
11-18-2013 10:36 AM
Hi Marius,
Thanks.
I did enter the command 'vpn-idle-timeout 30' but the client VPN connection still terminates with the same message and at the 480 second mark.
I also made sure the vpn-session-timeout none was set to disable the timeout.
Not sure why client VPN connection is disconnecting. I'm looking at the following commands to see if they are causing this issue:
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
Thanks for helping me
K
11-18-2013 12:22 PM
Hmm ok, please remove the vpn-session-timeout command
no vpn-session-timeout 30
Are you using a RADIUS server or TACACS+ server to authenticate users? if so have you checked the timeout on this server?
11-20-2013 08:05 PM
I removed the 'no vpn-session-timeout 30' command. Same disconnect issue and message Reason 433.
No I am not using a RADIUS or TACACS+ server. I am using local database to authenticate users.
11-19-2013 12:21 AM
Keep in mind that the RADIUS / TACAC+ timeout will overide the locally configured timeout on the ASA. (if you are using an authentication server that is)
11-18-2013 01:15 PM
Hello,
Please try using vpn-session-timeout none command:
To configure a maximum amount of time allowed for VPN connections, use the vpn-session-timeout command in group-policy configuration mode or in username configuration mode. At the end of this period of time, the security appliance terminates the connection.
To remove the attribute from the running configuration, use the no form of this command. This option allows inheritance of a time-out value from another group policy. To prevent inheriting a value, use the vpn-session-timeout none command.
vpn-session-timeout {minutes | none}
no vpn-session-timeout
Thanks,
11-20-2013 08:12 PM
Hi Sahil,
I tried and am now using the 'vpn-session-timeout none' command as follows:
group-policy VPNclientTW attributes
dns-server value 8.8.8.8 4.2.2.1
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol IPSec
Same issue ...Reason 433: (Reason Not Specified by Peer)
11-21-2013 12:08 AM
Add the following command under the tunnel-group (where x.x.x.x is the IP/name of the tunnel-group)
tunnel-group x.x.x.x general-attributes
default-group-policy NO-TIMER
If that doesn't help, here is a very good vpn troubleshooting guide.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#vpnconn
--
Please rate all helpful posts
11-21-2013 02:22 PM
Do you happen to have an additional firewall or NAT'ing device between ASA and the client? There could be a session timeout when there is no traffic.
Check the Statistics on client. Is the connection UDP encapsulated?
11-28-2013 10:28 AM
Hi Peter,
There is no other firewall and NAT is not the issue.
11-28-2013 10:27 AM
Hi Marius,
I checked the default-group-policy NO-TIMER...and it is not supported on the ASA we have installed.
11-28-2013 11:08 AM
Please connect to the VPN and while the PC is connected issue the following command onthe ASA and post it here.
sh vpn-sessiondb detail remote
Which ASA version are you running?
Have you tried to disable threat detection to see if that solves the issue (threat detection can cause a lot of overhead on the ASA process)?
no threat-detection basic-threat
no threat-detection scanning-threat shun
no threat-detection statistics
no threat-detection rate
--
Please rate all helpful posts and select correct answer
11-29-2013 01:29 PM
I tried to disable threat detection and that did not resolve the issue.
As requested, I connected to the VPN and while connected, the following is the sh vpn-sessiondb detail remote:
asa# show vpn-sessiondb detail remote
Session Type: IPsec Detailed
Username : user9 Index : 48
Assigned IP : 10.168.0.12 Public IP : 55.55.55.55
Protocol : IKE IPsecOverNatT
License : IPsec
Encryption : 3DES AES128 Hashing : SHA1
Bytes Tx : 0 Bytes Rx : 212
Pkts Tx : 0 Pkts Rx : 2
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : VPNClientSW Tunnel Group : VPNClientSW2
Login Time : 22:48:44 UTC Thu Sep 4 2008
Duration : 0h:00m:27s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
IKE Tunnels: 1
IPsecOverNatT Tunnels: 1
IKE:
Tunnel ID : 48.1
UDP Src Port : 65008 UDP Dst Port : 4500
IKE Neg Mode : Aggressive Auth Mode : preSharedKeys
Encryption : 3DES Hashing : SHA1
Rekey Int (T): 86400 Seconds Rekey Left(T): 86379 Seconds
D/H Group : 2
Filter Name :
Client OS : WinNT Client OS Ver: 5.0.07.0440
IPsecOverNatT:
Tunnel ID : 48.2
Local Addr : 0.0.0.0/0.0.0.0/0/0
Remote Addr : 10.168.0.12/255.255.255.255/0/0
Encryption : AES128 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 28778 Seconds
Idle Time Out: 0 Minutes Idle TO Left : 0 Minutes
Bytes Tx : 0 Bytes Rx : 212
Pkts Tx : 0 Pkts Rx : 2
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 22 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :
asa#
11-29-2013 02:25 PM
I am starting to think you are hitting a bug. What ASA version are you running?
--
Please remember to rate and select a correct answer
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: