01-14-2016 04:41 PM - edited 03-12-2019 12:08 AM
Hi guys
Hope you're great, I got a question about something that is happening right now. I already configure some VPN accounts but I'm noticing that if i do nothing the session disconnected me in 1 minute and 37 seconds approximately. About the timeout configuration on the groupo polciy is Unlimited and the configuration in the VPN accounts are also unlimited. Also i compare the configuration with other FW that is from the same customer and is the same so I don't understand why the session are getting disconnected. The message error that I get is the 412: the remote peer is no longer responding.
One workaround that i found is that if i execute a ping to an IP that is on the Secured Routes the session it wont disconnected me but as soon as I stop the ping it take like 1 minute and i get the same message (412).
Do have any idea about what else i need to configure, I'm running out of ideas.
Regards
01-14-2016 05:56 PM
Are you connecting through another device doing a NAT translation by chance? I bet it is timing out the UDP session (which would also explain the ping working).
Do you have a different Internet connection you could connect via to prove this is the case?
01-19-2016 01:35 PM
Hi Phillip
Thanks for the answer, well as far as I know there is no NAT translation but I'll check if I can increase the UDP session.
About using another connection I already tried from my house and the same thing is happening.
Regards
01-19-2016 02:02 PM
Is the VPN head end an ASA or IOS router? Does it connect directly to the Internet with an IPv4 address?
Could you post the related VPN config?
01-19-2016 02:13 PM
The VPN end an ASA and it connects directly to the Internet with an IPv4 address. Do you think that the "Global Timeouts" had anything to do with this problem, I mean maybe if I change the time it could help but I don't know.
Here's some of the VPN configuration.
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy Client_Policy internal
group-policy Client_Policy attributes
wins-server none
dns-server value 8.8.8.8
vpn-simultaneous-logins 2
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Red_VPN
default-domain none
Regards.
01-19-2016 07:40 PM
It wont have anything to do with the global timeouts.
Is there any chance you sit behind a service provider firewall?
This is an IKEv1 VPN, correct?
01-20-2016 08:17 AM
Yes this is an IKE v1 VPN.
About the other thing I will try to sit behind a service provider firewall.
Another thing on the VPN client log appears the next messages
1 10:06:48.909 01/20/16 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.25.3.49, error 0
2 10:06:49.915 01/20/16 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
Regards
01-20-2016 11:56 AM
To be more specific, you don't want to sit behind service provider firewall. If you are, they might be timing out the sessions.
Perhaps try adding a keepalive and see if that changes the behaviour. If you are running older ASA software try:
crypto isakmp keepalive 10
If it doesn't take that command perhaps try:
crypto isakmp nat-traversal 10
01-20-2016 01:36 PM
Hi Phillip
I will try the commands that you post and see what happen. Also I request to the area who admin the Routers to verify if maybe there's a timer or something that could be affecting this connection.
I will keep you post with the results.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide