Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
22847
Views
10
Helpful
3
Replies

Anyconnect VPN Client "Session disconnect", "Reason: Connection Preempted"

ju we
Level 1
Level 1

‎10-09-2014 07:36 AM - edited ‎02-21-2020 07:52 PM

Hi there,

some Anyconnect Users experience frequent disconnects:

Oct  9 14:10:08 fw : %ASA-4-113019: Group = A, Username = W, IP = a.b.c.d, Session disconnected. Session Type: SSL, Duration: 0h:03m:44s, Bytes xmt: 555379, Bytes rcv: 479046, Reason: Connection Preempted
Oct  9 14:14:49 fw : %ASA-4-113019: Group = A, Username = W, IP = a.b.c.d, Session disconnected. Session Type: SSL, Duration: 0h:04m:41s, Bytes xmt: 705887, Bytes rcv: 586615, Reason: Connection Preempted
Oct  9 14:26:18 fw : %ASA-4-113019: Group = A, Username = W, IP = a.b.c.d, Session disconnected. Session Type: SSL, Duration: 0h:11m:29s, Bytes xmt: 660791, Bytes rcv: 653513, Reason: Connection Preempted
 

When placing "ping -t <destination through the tunnel>" the Anyconnect session is not disconnected. The idle timeout is set to 60 min.

Can anyone give me a hint?

 

Software  Versions:

Cisco Anyconnect Secure Mobility Client, Version 3.1.05182

 

# sh ver

Cisco Adaptive Security Appliance Software Version 9.1(4)
Device Manager Version 7.3(1)101

Compiled on Thu 05-Dec-13 19:37 by builders
System image file is "disk0:/asa914-k8.bin"
Config file at boot was "startup-config"

# up 23 days 9 hours
failover cluster up 1 year 124 days

Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz,
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xfff00000, 1024KB

Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x0)
                             Boot microcode        : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2_05
                             IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.09
                             Number of accelerators: 1

 

1 person had this problem
Labels:
0 Helpful
3 Replies 3

adamtodd16
Level 3
Level 3

‎10-09-2014 08:52 AM

Connection preempted. Indicates that the allowed number of simultaneous (same user) logins has been exceeded. To resolve this problem, increase the number of simultaneous logins or have users only log in once with a given username and password.

To increase the number, you must have a change on the group policy assigned to the user (group).

Example:

group-policy VPN attributes
 vpn-simultaneous-logins 4

ju we
Level 1
Level 1
In response to adamtodd16

‎10-20-2014 01:33 AM

Dear Adam,

many thanks for your suggestion. Actually the "vpn-simultaneous-logins 3" is configured but still "Connection Preemted" messages can be found in the the logfile. I will upgrade to asa915-k8.bin and see what happens.

0 Helpful

mikael.dautrey
Spotlight
Spotlight
In response to adamtodd16

‎03-24-2020 08:13 AM

Thanks, default is 3 for L2TP/IPSEC connections on ASA 9.x
IT Infrastructure deployer
Security practicioner
Spare time devops
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents