cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
887
Views
5
Helpful
6
Replies

VPN Client Side disconnection problem

brian.young
Level 1
Level 1

I've been having this problem for months and its driving my users nuts.

When a user connects using the VPN client, connection times out on the client side after only a few minutes.

If I user ssh and connect to the box and run anything that generates traffic, the connections stays up.

My configuration:

Pix 515E version 7.2(2)

VPN Client version 4.8.02.0010

timeout values are set to 1hr

Transport is IPSEC over UDP NAT/PAT

Peer response timeout is 480 seconds

Local linksys router router has

IPSec, PPTP, L2TP pass through enabled

Windows firewall has exception for VPN client

PLEASE HELP!

Thanks,

BY

6 Replies 6

wong34539
Level 6
Level 6

I think You are unable to initiate the VPN tunnel from ASA/PIX interface, and after the tunnel establishment, the remote end/VPN Client is unable to ping the inside interface of ASA/PIX on the VPN tunnel. For example, the vpn client can be unable to initiate a SSH or HTTP connection to ASA's inside interface over VPN tunnel.

Solution:

The inside interface of the PIX cannot be pinged from the other end of the tunnel unless the management-access command is configured in the global configuration mode.

What do I need to do on the client side firewall to enable DPD Requests?

Todd Pula
Level 7
Level 7

You will want to enable logging on the IPSec VPN client to see why the session is being disconnected. You will also want to debug ISAKMP and IPSec on the ASA. I run into this problem frequently with customers where DPD is enabled but the local firewall policy on the client is dropping the packets.

craig.eyre
Level 1
Level 1

I was just wondering if you got this resolved? I may be able to help you, let me know.

Craig

Craig,

No I have not resolved this problem yet. I log into an ssh session on the server and run TOP to keep the activity going, which keeps the connection up. When I disconnect the ssh session the connection dies within a few minutes.

Any ideas?

Hi Brian,

Can you confirm tat the client is actually connecting via IPSEC/NAT-T or if its just negotiating a straight IPSEC connection?

On the vpn client turn on all the logging at the HIGH level and then fire up a vpn connection. You'll see in the connection logs whether your client negotiates IPSEC/NAT-T or just IPSEC by the line "Automatic NAT detection status" in the client logs.

If the client negotiates IPSEC only try this little test. Run the client, then fire up a ping to some server within the tunnel for about 5 mins. Kill the ping and see if the keepalive start coming back in the client side log. I'd assume that the keepalives will not come back and your client will start sending alot of keepalive but nothing coming back from VPN endpoint.

Let me know.

Craig

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: