Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4297
Views
0
Helpful
6
Replies

Cisco VPN Client and IBM Client Access compatibility

rbostwick
Level 1
Level 1

‎09-20-2004 11:10 AM - edited ‎02-21-2020 01:20 PM

I am using 3005 VPN Concentrators and all MS Win2K clients. They have various versions of the VPN Client

installed ( 3.63 - 4.05 ). All our client using IBM Client Access 4.3 and above for a 5250 client connection to an AS/400 Host.

On about a dozen or so of the clients they are experiencing a disconnect after an idle period in Client Access. This happens when they are on the VPN or on the LAN .

I have tested with several versions of both CLient Access and the VPN Client. I have also tried adjusting the MTUs on the VPN CLient.

None of these fixes the problem. Any suggecions would be appreciated .

Thanks,

rbostwick@solarcom.com

Labels:
0 Helpful
6 Replies 6

ehirsel
Level 6
Level 6

‎09-21-2004 09:51 AM

Is there a pix or some other firewall between the as/400 and the users, even when the users are on the LAN? If it is a pix, the default idle timeout is set to 1 hour - if the IBM CA has a higer timeout or if the CA does not issue keepalives, then the pix will terminate the connection to the client by sending a tcp frame with the reset bit. The pix will not send one as soon as the timer expires, but instead will wait until traffic arrives.

0 Helpful

rbostwick
Level 1
Level 1
In response to ehirsel

‎09-21-2004 11:26 AM

No firewall exist on the Lan, between the users and AS/400. The problem has only occurred on about 5% of users with Cisco VPN Client installed.

I am testing the option of disabling the Stateful Firewall Option on the VPN Client. This seems the most promising at the moment.

0 Helpful

jzsides
Level 1
Level 1

‎09-21-2004 11:19 AM

Do you have the stateful firewall turned on in the VPN client? I had the same problem, so I disabled the firewall and removed the split tunnel configuration.

It may not be an option for you, but it worked for me.

0 Helpful

rbostwick
Level 1
Level 1
In response to jzsides

‎09-21-2004 12:47 PM

By default we have enabled the Stateful Firewall option on all the Cisco VPN Clients. It seems that this causes a timeout issue with some Network applicaions, such as IBM Client Access.

I disabled the option on a few clients and so far it has worked. I have some users that even have the problem while on a VPN connection over a Pix 501 configured with the Easy VPN.

If they have the Cisco Client installed, it will time out their AS/400 connection when idle for more then 15 minutes.

Disabling the Stateful is not a problem, but it seems

there is no reasoning I can find for the problem, unless the AS/400 using ICMP for a sort of keepalive

function.

0 Helpful

jzsides
Level 1
Level 1
In response to rbostwick

‎09-21-2004 12:59 PM

I'm not sure why the Cisco Stateful firewall causes problems with client access. Client access works fine through every other firewall I have used (both hardware and software).

Have you thought about using the SSL option instead of the vpn? It requires OS/400 V4R4 or later and Client Access V4R4 or later.

0 Helpful

ehirsel
Level 6
Level 6
In response to rbostwick

‎09-24-2004 05:06 AM

This URL: http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_administration_guide_chapter09186a008015cfdc.html

Depicts the vpnclient.ini settings to control the vpn client behavior. One of these is StatefulFirewallAllowICMP and the default value is 0 (disabled). Add that parm to the .ini file and set it to 1.

Also enable logging on the vpn client, and set the firewall log to 3 (the highest). Do this as well as setting the allow icmp to 1, and if the clients are having an issue, the log file should contain some meaningful messages - if so post them here.

0 Helpful
Customers Also Viewed These Support Documents