Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
69680
Views
0
Helpful
0
Comments

The Cisco VPN Client gets disconnected intermittently from the Cisco VPN 3000 Concentrator

TCC_2
Level 10
Level 10

on ‎06-22-2009 03:42 PM

Core issue

The disconnections happen because of VPN client loses Dead Peer Detection (DPD), keepalives on the path.

DPDs are used to verify if the remote peer still answers because it is unsafe to keep a connection active if the remote device is dead. VPN Client loses these packets means that the peer no longer responds to ACK for DPD and therefore is not reachable.

This issue can occur because of connection that the client uses.

The VPN Client uses a keepalive mechanism called DPD in order to check the availability of the VPN device on the other side of an IPsec tunnel. If the network is unusually busy or unreliable, you need to increase the number of seconds in order to wait before the VPN Client decides that the peer is no longer active. The default number of seconds to wait before the termination of a connection is 90 seconds. The minimum number of seconds you can configure is 30 seconds, and the maximum is 480 seconds.

In order to adjust the setting, enter the number of seconds in the Peer Response Timeout field.

The VPN Client continues to send DPD requests every five seconds until it reaches the number of seconds specified by the Peer Response Timeout value.

The Internet Key Exchange (IKE) keepalive packets are sent every 10 seconds by default. Once three packets are missed, an IPSec termination point (VPN Concentrator) concludes that it has lost connectivity with its peer (VPN Client).

Resolution

In order to resolve this problem, determine these things:

  • The version of the VPN Client
     
  • The version of the VPN Concentrator code
     
  • The Operating System (OS) used on the machine that runs the VPN Client
     
  • The Internet Service Provider (ISP) used by the VPN Client to connect to the Internet
     
  • The devices the VPN Client goes through before traffic reaches the Internet to connect to the VPN 3000 Concentrator

  • Whether User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) over IPSec option is used for this connection
     
  • The log file from the VPN Concentrator with these event classes turned on at Levels 1 through 13 under Monitoring > Filterable Event Log:.
        
    • Auth
    • Authdbg
       
    • IKE

    • IKEDbg
      • IPsec
         
      • IPsecdbg  

      In order to capture this logging information, choose Monitoring > Filterable Event Log, and clear the log. Then have a VPN Client initiate traffic. Refresh the log with the right double arrows or a Save Log.

         
    • Log the file from the VPN Client side. In order to enable the VPN Client, complete these steps:

          
      • Find the Log Viewer utility in the same folder as the VPN dialer.
      • Choose Options > Filters.

      • Highlight each class, and set the level to High for each one.

      • Save the log from the VPN Client as a .txt file.
         
            Note: Log files from the VPN Concentrator and VPN Client have to be captured at the same time.   

        The problem can be the result of these situations:

        • The VPN Concentrator does not receive the keepalive/DPD packets.

        • The VPN Concentrator dpes not respond to the keepalive/DPD packets.

        • The VPN Client does not receive the keepalive/DPD packets.

        • In negotiation of Security Association (SA), the one with the lower value is the one used. The SA value of the VPN Concentrator is always used since it has the lower value than the VPN client. Usually, upon re-negotiation of the SA, when the connection is idle, then the tunnel is torn down. But if the connection is not idle, then the VPN Concentrator and Client should rekey.

        Consider these options in order to resolve this issue:

        • If the VPN Client is located behind a device that performs Network Address Translation (NAT)/Port Address Translation (PAT), make sure that the translation does not timeout for the VPN Client.

        • Make sure the IKE keepalives are enabled. In some situations, it is necessary to disable this feature in order to solve the problem, for example, if the VPN Client is behind a Firewall that prevents DPD packets. In order to disable the IKE keepalives, complete these steps:
              
          • Choose Configuration > User Management > Groups.

          • Choose a VPN Client group that you work with, and click Modify.

          • On the IPSec tab, uncheck the IKE Keepalives box.
             
        • Check the timeout settings on the VPN Concentrator and on the VPN Client. The timeout settings are found on the General tabs of the base group, group, and user settings.  Choose Configuration > User Management.

        Refer to these related Cisco bug IDs for more information:

        Note: Refer to Troubleshooting Connection Problems on the VPN 3000 Concentrator for more information about the connectivity problem with PIX / ASA / Router.


        Related Issue

        I am getting disconnected intermittently from the Cisco VPN 3000 Concentrator.  How this can be resolved?

        Solution

        If the users are frequently disconnected across the L2L tunnel, the problem can be the lesser lifetime configured in ISAKMP SA.

        Verify Idle/Session Timeout

        If the idle timeout is set to 30 minutes (default), it means that it drops the tunnel after 30 minutes of no traffic passes through it. The VPN client gets disconnected after 30 minutes regardless of the setting of idle timeout.

        For more information, refer the following document which contains the most common solutions to IPsec VPN problems. These solutions come directly from service requests that the Cisco Technical Support have solved. Many of these solutions can be implemented prior to the in-depth troubleshooting of an IPsec VPN connection. As a result, this document is presented as a checklist of common procedures to try before you begin to troubleshoot a connection and call Cisco Technical Support. http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

        The following document provides troubleshooting tips you can use in order to resolve connectivity issues with the Cisco VPN 3000 Concentrator. http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_tech_note09186a0080094eca.shtml

        Labels:
        0 Helpful
        Getting Started

        Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

        Customers Also Viewed These Support Documents