The disconnections happen because of VPN client loses Dead Peer Detection (DPD), keepalives on the path.
DPDs are used to verify if the remote peer still answers because it is unsafe to keep a connection active if the remote device is dead. VPN Client loses these packets means that the peer no longer responds to ACK for DPD and therefore is not reachable.
This issue can occur because of connection that the client uses.
The VPN Client uses a keepalive mechanism called DPD in order to check the availability of the VPN device on the other side of an IPsec tunnel. If the network is unusually busy or unreliable, you need to increase the number of seconds in order to wait before the VPN Client decides that the peer is no longer active. The default number of seconds to wait before the termination of a connection is 90 seconds. The minimum number of seconds you can configure is 30 seconds, and the maximum is 480 seconds.
In order to adjust the setting, enter the number of seconds in the Peer Response Timeout field.
The VPN Client continues to send DPD requests every five seconds until it reaches the number of seconds specified by the Peer Response Timeout value.
The Internet Key Exchange (IKE) keepalive packets are sent every 10 seconds by default. Once three packets are missed, an IPSec termination point (VPN Concentrator) concludes that it has lost connectivity with its peer (VPN Client).
In order to resolve this problem, determine these things:
The version of the VPN Client
The version of the VPN Concentrator code
The Operating System (OS) used on the machine that runs the VPN Client
The Internet Service Provider (ISP) used by the VPN Client to connect to the Internet
The devices the VPN Client goes through before traffic reaches the Internet to connect to the VPN 3000 Concentrator
Whether User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) over IPSec option is used for this connection
The log file from the VPN Concentrator with these event classes turned on at Levels 1 through 13 under Monitoring > Filterable Event Log:.
In order to capture this logging information, choose Monitoring > Filterable Event Log, and clear the log. Then have a VPN Client initiate traffic. Refresh the log with the right double arrows or a Save Log.
Log the file from the VPN Client side. In order to enable the VPN Client, complete these steps:
Find the Log Viewer utility in the same folder as the VPN dialer.
Choose Options > Filters.
Highlight each class, and set the level to High for each one.
Save the log from the VPN Client as a .txt file.
Note: Log files from the VPN Concentrator and VPN Client have to be captured at the same time.
The problem can be the result of these situations:
The VPN Concentrator does not receive the keepalive/DPD packets.
The VPN Concentrator dpes not respond to the keepalive/DPD packets.
The VPN Client does not receive the keepalive/DPD packets.
In negotiation of Security Association (SA), the one with the lower value is the one used. The SA value of the VPN Concentrator is always used since it has the lower value than the VPN client. Usually, upon re-negotiation of the SA, when the connection is idle, then the tunnel is torn down. But if the connection is not idle, then the VPN Concentrator and Client should rekey.
Consider these options in order to resolve this issue:
If the VPN Client is located behind a device that performs Network Address Translation (NAT)/Port Address Translation (PAT), make sure that the translation does not timeout for the VPN Client.
Make sure the IKE keepalives are enabled. In some situations, it is necessary to disable this feature in order to solve the problem, for example, if the VPN Client is behind a Firewall that prevents DPD packets. In order to disable the IKE keepalives, complete these steps:
Choose Configuration > User Management > Groups.
Choose a VPN Client group that you work with, and click Modify.
On the IPSec tab, uncheck the IKE Keepalives box.
Check the timeout settings on the VPN Concentrator and on the VPN Client. The timeout settings are found on the General tabs of the base group, group, and user settings. Choose Configuration > User Management.
Refer to these related Cisco bug IDs for more information:
I am getting disconnected intermittently from the Cisco VPN 3000 Concentrator. How this can be resolved?
If the users are frequently disconnected across the L2L tunnel, the problem can be the lesser lifetime configured in ISAKMP SA.
Verify Idle/Session Timeout
If the idle timeout is set to 30 minutes (default), it means that it drops the tunnel after 30 minutes of no traffic passes through it. The VPN client gets disconnected after 30 minutes regardless of the setting of idle timeout.
For more information, refer the following document which contains the most common solutions to IPsec VPN problems. These solutions come directly from service requests that the Cisco Technical Support have solved. Many of these solutions can be implemented prior to the in-depth troubleshooting of an IPsec VPN connection. As a result, this document is presented as a checklist of common procedures to try before you begin to troubleshoot a connection and call Cisco Technical Support. http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
HiWe have FMC 100 and FTD 2130, when I do a packet tracer on the device its saying traffic is allowed but I cant find the ACL on the ACP that would allow this traffic, its almost as though there is an hidden ACL which is allowing certain traffic which it ...
Hi Guys, i have some issue with GRE Tunnel in Packet Tracer during my Training.. all the setup is correct, both tunnel is up/up, but i dk why it just cannot go like 192.168.1.2 -> 192.168.25.2 -> 10.0.0.2
I am trying to push software update to FTDs from FMC FMC running 6.6.1 version and same version trying to push on FTD but it gives error message. Pre upgrade validation - snort version on device is out of date. Deploy access control policy from...
this web says TrustSec is stopped.这个网站说已停，https://www.cisco.com/c/zh_cn/obsolete/security/cisco-trustsec.html?dtid=osscdc000283but Trustsec feature is newly add to the datasheet of Catalyst 9000 series in 2021, I do not believe it is obsolete. and I need ...
Hi,we have seen that Firepower 1010 and ASA 9.14.2.x has Spanning-Tree BPUD Guard blocked port on connected Nexus Switch if at least 2 Ports (different VLANs) connected to same Switch. This does not occur in ASA 9.14.1. Hast anybody seen the sam...