01-14-2016 04:41 PM - edited 03-12-2019 12:08 AM
Hi guys
Hope you're great, I got a question about something that is happening right now. I already configure some VPN accounts but I'm noticing that if i do nothing the session disconnected me in 1 minute and 37 seconds approximately. About the timeout configuration on the groupo polciy is Unlimited and the configuration in the VPN accounts are also unlimited. Also i compare the configuration with other FW that is from the same customer and is the same so I don't understand why the session are getting disconnected. The message error that I get is the 412: the remote peer is no longer responding.
One workaround that i found is that if i execute a ping to an IP that is on the Secured Routes the session it wont disconnected me but as soon as I stop the ping it take like 1 minute and i get the same message (412).
Do have any idea about what else i need to configure, I'm running out of ideas.
Regards
01-14-2016 05:56 PM
Are you connecting through another device doing a NAT translation by chance? I bet it is timing out the UDP session (which would also explain the ping working).
Do you have a different Internet connection you could connect via to prove this is the case?
01-19-2016 01:35 PM
Hi Phillip
Thanks for the answer, well as far as I know there is no NAT translation but I'll check if I can increase the UDP session.
About using another connection I already tried from my house and the same thing is happening.
Regards
01-19-2016 02:02 PM
Is the VPN head end an ASA or IOS router? Does it connect directly to the Internet with an IPv4 address?
Could you post the related VPN config?
01-19-2016 02:13 PM
The VPN end an ASA and it connects directly to the Internet with an IPv4 address. Do you think that the "Global Timeouts" had anything to do with this problem, I mean maybe if I change the time it could help but I don't know.
Here's some of the VPN configuration.
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy Client_Policy internal
group-policy Client_Policy attributes
wins-server none
dns-server value 8.8.8.8
vpn-simultaneous-logins 2
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Red_VPN
default-domain none
Regards.
01-19-2016 07:40 PM
It wont have anything to do with the global timeouts.
Is there any chance you sit behind a service provider firewall?
This is an IKEv1 VPN, correct?
01-20-2016 08:17 AM
Yes this is an IKE v1 VPN.
About the other thing I will try to sit behind a service provider firewall.
Another thing on the VPN client log appears the next messages
1 10:06:48.909 01/20/16 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.25.3.49, error 0
2 10:06:49.915 01/20/16 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
Regards
01-20-2016 11:56 AM
To be more specific, you don't want to sit behind service provider firewall. If you are, they might be timing out the sessions.
Perhaps try adding a keepalive and see if that changes the behaviour. If you are running older ASA software try:
crypto isakmp keepalive 10
If it doesn't take that command perhaps try:
crypto isakmp nat-traversal 10
01-20-2016 01:36 PM
Hi Phillip
I will try the commands that you post and see what happen. Also I request to the area who admin the Routers to verify if maybe there's a timer or something that could be affecting this connection.
I will keep you post with the results.
Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: