Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3754
Views
0
Helpful
1
Replies

VPN client asks for re-authentication between 20 and 50 minutes

v.matiakis
Level 1
Level 1

‎09-21-2011 04:00 AM - edited ‎02-21-2020 10:26 AM

Hi,

We have configured an 2801 to aggregate some VPN clients. The problem is that between 20 and 50 minutes it asks for re-authentication even though the connection is not idle. Is there a timer that creates this problem?

Below the applied configuration :

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp client configuration group GROUP

key KEY

dns x.x.x.x

domain DOMAIN

pool DIAL-POOL

acl vpn-traffic

netmask 255.255.255.0

!

!

crypto ipsec transform-set SET esp-aes esp-sha-hmac

!

!

crypto dynamic-map DYN-MAP 1

set transform-set SET

reverse-route

!

!

crypto map DIAL-MAP client authentication list default

crypto map DIAL-MAP isakmp authorization list default

crypto map DIAL-MAP client configuration address respond

crypto map DIAL-MAP 65535 ipsec-isakmp dynamic DYN-MAP

Thank you in advance

Labels:
0 Helpful
1 Reply 1

Herbert Baerten
Cisco Employee
Cisco Employee

‎10-02-2011 02:22 AM

Hi V,

note that your ISAKMP policy has "lifetime 3600" which means your ISAKMP SA will only be valid for one hour, so the client will initiate a new ISAKMP (phase 1) session a 'short' time before the current one expires. How much time depends on some differnet factors but around 40-50 mins seems quite normal, 20 minutes is strange.

Usually there is no need to set the isakmp (phase 1) lifetime so low - 8h or even 24h should be ok. Note that you still have a phase 2 rekey every hour (with default settings) so the ISAKMP keying material (sort of the "master key") will change only once every 8 or 24h but the actual encryption key will still change every hour (or rather, every 48mins or so).

If you still see any behavior that is not consistent with this explanation (e.g. re-auth after 20 mins, or the time between re-auths doesnt change when you increase the lifetime) then have a look at the client logs to see if there is a clue as to why it is doing that. Increase the log level detail as follows:

- close the client

- edit the vpnclient.ini file

- change all LogLevel entries to 15

- save the file

- open the client again and don't touch the log levels

hth
Herbert

--

If this post answers your question, please click the "Correct Answer" button

0 Helpful
Customers Also Viewed These Support Documents