06-10-2007 06:44 AM
Hi, i am trying to deploy site-to-site vpn from remote site to central location. It seems that after some period of inactivity users experience some kind of connection timeout. ( Users send some heavy processing querry to SQL server,and after for example 10 minutes of processing they lose connection?Other "non timed out users" work fine at that time.) When that happens vpn is still up.And time-outed users can again connect to server.
Here is the part of configuration related to VPN
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key xxxx address xxx.xxx.xxx.xxx
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp nat keepalive 5
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto map vpn-crosig 100 ipsec-isakmp
set peer 213.x.x.148
set transform-set strong
match address vpn-crosig
reverse-route remote-peer
!
!
!
!
interface FastEthernet0
description >>Prema VM mrezi<<
ip address xxx.xxx.xxx.xxx 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
priority-group 1
no cdp enable
crypto map vpn-crosig
!
tion hdlc
shutdown
!
interface FastEthernet2
switchport access vlan 100
no cdp enable
!
interface Vlan100
description >>Prema LAN<<
ip address 192.168.0.1 255.255.255.0
ip access-group 154 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1400
no snmp trap link-status
priority-group 1
!
!
ip default-gateway 80.x.x.209
ip route 0.0.0.0 0.0.0.x.x.173.209
!
ip nat pool vpn 172.30.144.82 172.30.144.94 prefix-length 28
ip nat inside source route-map internet interface FastEthernet0 overload
ip nat inside source route-map vpn pool vpn
ip access-list extended internet
deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended vpn
permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
ip access-list extended vpn-crosig
permit ip 172.30.144.80 0.0.0.15 10.0.0.0 0.255.255.255
At the central site i am using VPN 3000 series concentrator. And the clients are trying to connect to 10.0.0.0/8 at central.
06-12-2007 04:32 AM
Hi,
Are you sure that VPN disconnects only when users send SQL query?.
I guess, the amount of bandwidth is being used by total number of users exceeds the 'Bandwidth Assignment' for that VPN group.
Since you have not configured any bandwidh assignment policy here ,default policy will be pushed. [ Increase the B/w allotment or reduce the users of the group]
You can cross verify by limiting the number of users for this tunnel and pass the traffic and observe the status.
--Jaffer
06-12-2007 06:56 AM
Tnx Jaffer.
It seems that problem was on the Check Point between VPN concentrator and SQL server.
After some period of inactivity C.P simply dropped TCP connection to SQL server.
Setting the tcp keepalive parameters on user PC-s solved the issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide