09-20-2004 11:10 AM - edited 02-21-2020 01:20 PM
I am using 3005 VPN Concentrators and all MS Win2K clients. They have various versions of the VPN Client
installed ( 3.63 - 4.05 ). All our client using IBM Client Access 4.3 and above for a 5250 client connection to an AS/400 Host.
On about a dozen or so of the clients they are experiencing a disconnect after an idle period in Client Access. This happens when they are on the VPN or on the LAN .
I have tested with several versions of both CLient Access and the VPN Client. I have also tried adjusting the MTUs on the VPN CLient.
None of these fixes the problem. Any suggecions would be appreciated .
Thanks,
09-21-2004 09:51 AM
Is there a pix or some other firewall between the as/400 and the users, even when the users are on the LAN? If it is a pix, the default idle timeout is set to 1 hour - if the IBM CA has a higer timeout or if the CA does not issue keepalives, then the pix will terminate the connection to the client by sending a tcp frame with the reset bit. The pix will not send one as soon as the timer expires, but instead will wait until traffic arrives.
09-21-2004 11:26 AM
No firewall exist on the Lan, between the users and AS/400. The problem has only occurred on about 5% of users with Cisco VPN Client installed.
I am testing the option of disabling the Stateful Firewall Option on the VPN Client. This seems the most promising at the moment.
09-21-2004 11:19 AM
Do you have the stateful firewall turned on in the VPN client? I had the same problem, so I disabled the firewall and removed the split tunnel configuration.
It may not be an option for you, but it worked for me.
09-21-2004 12:47 PM
By default we have enabled the Stateful Firewall option on all the Cisco VPN Clients. It seems that this causes a timeout issue with some Network applicaions, such as IBM Client Access.
I disabled the option on a few clients and so far it has worked. I have some users that even have the problem while on a VPN connection over a Pix 501 configured with the Easy VPN.
If they have the Cisco Client installed, it will time out their AS/400 connection when idle for more then 15 minutes.
Disabling the Stateful is not a problem, but it seems
there is no reasoning I can find for the problem, unless the AS/400 using ICMP for a sort of keepalive
function.
09-21-2004 12:59 PM
I'm not sure why the Cisco Stateful firewall causes problems with client access. Client access works fine through every other firewall I have used (both hardware and software).
Have you thought about using the SSL option instead of the vpn? It requires OS/400 V4R4 or later and Client Access V4R4 or later.
09-24-2004 05:06 AM
Depicts the vpnclient.ini settings to control the vpn client behavior. One of these is StatefulFirewallAllowICMP and the default value is 0 (disabled). Add that parm to the .ini file and set it to 1.
Also enable logging on the vpn client, and set the firewall log to 3 (the highest). Do this as well as setting the allow icmp to 1, and if the clients are having an issue, the log file should contain some meaningful messages - if so post them here.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide