Hope you're great, I got a question about something that is happening right now. I already configure some VPN accounts but I'm noticing that if i do nothing the session disconnected me in 1 minute and 37 seconds approximately. About the timeout configuration on the groupo polciy is Unlimited and the configuration in the VPN accounts are also unlimited. Also i compare the configuration with other FW that is from the same customer and is the same so I don't understand why the session are getting disconnected. The message error that I get is the 412: the remote peer is no longer responding.
One workaround that i found is that if i execute a ping to an IP that is on the Secured Routes the session it wont disconnected me but as soon as I stop the ping it take like 1 minute and i get the same message (412).
Do have any idea about what else i need to configure, I'm running out of ideas.
Are you connecting through another device doing a NAT translation by chance? I bet it is timing out the UDP session (which would also explain the ping working).
Do you have a different Internet connection you could connect via to prove this is the case?
Thanks for the answer, well as far as I know there is no NAT translation but I'll check if I can increase the UDP session.
About using another connection I already tried from my house and the same thing is happening.
Is the VPN head end an ASA or IOS router? Does it connect directly to the Internet with an IPv4 address?
Could you post the related VPN config?
The VPN end an ASA and it connects directly to the Internet with an IPv4 address. Do you think that the "Global Timeouts" had anything to do with this problem, I mean maybe if I change the time it could help but I don't know.
Here's some of the VPN configuration.
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy Client_Policy internal
group-policy Client_Policy attributes
dns-server value 18.104.22.168
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
split-tunnel-network-list value Red_VPN
It wont have anything to do with the global timeouts.
Is there any chance you sit behind a service provider firewall?
This is an IKEv1 VPN, correct?
Yes this is an IKE v1 VPN.
About the other thing I will try to sit behind a service provider firewall.
Another thing on the VPN client log appears the next messages
1 10:06:48.909 01/20/16 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.25.3.49, error 0
2 10:06:49.915 01/20/16 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
To be more specific, you don't want to sit behind service provider firewall. If you are, they might be timing out the sessions.
Perhaps try adding a keepalive and see if that changes the behaviour. If you are running older ASA software try:
crypto isakmp keepalive 10
If it doesn't take that command perhaps try:
crypto isakmp nat-traversal 10
I will try the commands that you post and see what happen. Also I request to the area who admin the Routers to verify if maybe there's a timer or something that could be affecting this connection.
I will keep you post with the results.