cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2151
Views
5
Helpful
8
Replies

Cisco VPN Client session disconnect

Luis Carranza
Level 1
Level 1

Hi guys

Hope you're great, I got a question about something that is happening right now. I already configure some VPN accounts but I'm noticing that if i do nothing the session disconnected me in 1 minute and 37 seconds approximately. About the timeout configuration on the groupo polciy is Unlimited and the configuration in the VPN accounts are also unlimited. Also i compare the configuration with other FW that is from the same customer and is the same so I don't understand why the session are getting disconnected. The message error that I get is the 412: the remote peer is no longer responding.

One workaround that i found is that if i execute a ping to an IP that is on the Secured Routes the session it wont disconnected me but as soon as I stop the ping it take like 1 minute and i get the same message (412).

Do have any idea about what else i need to configure, I'm running out of ideas.

Regards

8 Replies 8

Philip D'Ath
VIP Alumni
VIP Alumni

Are you connecting through another device doing a NAT translation by chance?  I bet it is timing out the UDP session (which would also explain the ping working).

Do you have a different Internet connection you could connect via to prove this is the case?

Hi Phillip

Thanks for the answer, well as far as I know there is no NAT translation but I'll check if I can increase the UDP session.

About using another connection I already tried from my house and the same thing is happening.

Regards

Is the VPN head end an ASA or IOS router?  Does it connect directly to the Internet with an IPv4 address?

Could you post the related VPN config?

The VPN end an ASA and it connects directly to the Internet with an IPv4 address. Do  you think that the "Global Timeouts" had anything to do with this problem, I mean maybe if I change the time it could help but I don't know.

Here's some of the VPN configuration.

threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy Client_Policy internal
group-policy Client_Policy attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-simultaneous-logins 2
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Red_VPN
 default-domain none
 

Regards.

It wont have anything to do with the global timeouts.

Is there any chance you sit behind a service provider firewall?

This is an IKEv1 VPN, correct?

Yes this is an IKE v1 VPN.

About the other thing I will try to sit behind a service provider firewall.

Another thing on the VPN client log appears the next messages

1      10:06:48.909  01/20/16  Sev=Warning/2    CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.25.3.49, error 0

2      10:06:49.915  01/20/16  Sev=Warning/2    CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0

Regards

To be more specific, you don't want to sit behind  service provider firewall.  If you are, they might be timing out the sessions.

Perhaps try adding a keepalive and see if that changes the behaviour.  If you are running older ASA software try:

crypto isakmp keepalive 10

If it doesn't take that command perhaps try:

crypto isakmp nat-traversal 10

Hi Phillip

I will try the commands that you post and see what happen. Also I request to the area who admin the Routers to verify if maybe there's a timer or something that could be affecting this connection.

I will keep you post with the results.

Regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: