topic To be more specific, you don in Network Security

Cisco VPN Client session disconnect

Luis Carranza — Tue, 12 Mar 2019 07:08:46 GMT

Hi guys

Hope you're great, I got a question about something that is happening right now. I already configure some VPN accounts but I'm noticing that if i do nothing the session disconnected me in 1 minute and 37 seconds approximately. About the timeout configuration on the groupo polciy is Unlimited and the configuration in the VPN accounts are also unlimited. Also i compare the configuration with other FW that is from the same customer and is the same so I don't understand why the session are getting disconnected. The message error that I get is the 412: the remote peer is no longer responding.

One workaround that i found is that if i execute a ping to an IP that is on the Secured Routes the session it wont disconnected me but as soon as I stop the ping it take like 1 minute and i get the same message (412).

Do have any idea about what else i need to configure, I'm running out of ideas.

Regards

Are you connecting through

Philip D'Ath — Fri, 15 Jan 2016 01:56:37 GMT

Are you connecting through another device doing a NAT translation by chance? I bet it is timing out the UDP session (which would also explain the ping working).

Do you have a different Internet connection you could connect via to prove this is the case?

Hi Phillip

Luis Carranza — Tue, 19 Jan 2016 21:35:54 GMT

Hi Phillip

Thanks for the answer, well as far as I know there is no NAT translation but I'll check if I can increase the UDP session.

About using another connection I already tried from my house and the same thing is happening.

Regards

Is the VPN head end an ASA or

Philip D'Ath — Tue, 19 Jan 2016 22:02:09 GMT

Is the VPN head end an ASA or IOS router? Does it connect directly to the Internet with an IPv4 address?

Could you post the related VPN config?

The VPN end an ASA and it

Luis Carranza — Tue, 19 Jan 2016 22:13:29 GMT

The VPN end an ASA and it connects directly to the Internet with an IPv4 address. Do you think that the "Global Timeouts" had anything to do with this problem, I mean maybe if I change the time it could help but I don't know.

Here's some of the VPN configuration.

threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy Client_Policy internal
group-policy Client_Policy attributes
wins-server none
dns-server value 8.8.8.8
vpn-simultaneous-logins 2
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Red_VPN
default-domain none

Regards.

It wont have anything to do

Philip D'Ath — Wed, 20 Jan 2016 03:40:56 GMT

It wont have anything to do with the global timeouts.

Is there any chance you sit behind a service provider firewall?

This is an IKEv1 VPN, correct?

Yes this is an IKE v1 VPN.

Luis Carranza — Wed, 20 Jan 2016 16:17:05 GMT

Yes this is an IKE v1 VPN.

About the other thing I will try to sit behind a service provider firewall.

Another thing on the VPN client log appears the next messages

1 10:06:48.909 01/20/16 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.25.3.49, error 0

2 10:06:49.915 01/20/16 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0

Regards

To be more specific, you don

Philip D'Ath — Wed, 20 Jan 2016 19:56:41 GMT

To be more specific, you don't want to sit behind service provider firewall. If you are, they might be timing out the sessions.

Perhaps try adding a keepalive and see if that changes the behaviour. If you are running older ASA software try:

crypto isakmp keepalive 10

If it doesn't take that command perhaps try:

crypto isakmp nat-traversal 10

Hi Phillip

Luis Carranza — Wed, 20 Jan 2016 21:36:54 GMT

Hi Phillip

I will try the commands that you post and see what happen. Also I request to the area who admin the Routers to verify if maybe there's a timer or something that could be affecting this connection.

I will keep you post with the results.

Regards