cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5201
Views
0
Helpful
8
Replies

Cisco VPN client keeps disconnecting even the tunnel is in use

spidermanchar
Level 1
Level 1

Hi there,

I meet a problem that the vpn client keeps disconnectiong and need to reauthenticate. Sometimes it disconnected after the vpn client is connect to ASA for 5 minutes, sometimes it's 20 minutes. But the worst thing is, even the client is using the tunnel, it disconnected.. With continus ping, it disconnected.

In the group policy, the vpn-idle-timeout is set to 45. And isakmp keepalive threhold is 300s. Does anybody aware of this problem?

Any suggestion are appreciate.

Thanks,

Victor

8 Replies 8

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Victor,

Can you share the ASA and VPNclient versions? No guarantees but I can do a bit of digging in our internal database.

If you can also attach ASA config (show run crypto, show run tunnel-g, show run group-p) it would be helpful.

Nothing will substitute debugs at the time of disconnect.

Marcin

Please check:

Version:

Server: Cisco Adaptive Security Appliance Software Version 7.2(4)

Client:  vpnclient-win-is-5.0.00.0340-k9-bundle

sh run crypto:
crypto ipsec transform-set VpnSet esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 512000
crypto dynamic-map VpnMap 10 match address DynVpnAcl
crypto dynamic-map VpnMap 10 set transform-set VpnSet
crypto map DBmap 10 ipsec-isakmp dynamic VpnMap
crypto map DBmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 15
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

sh run tunnel-g:

tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 30 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 30 retry 2
tunnel-group TerminalServices type ipsec-ra
tunnel-group TerminalServices general-attributes
address-pool dhcpTerminal
default-group-policy TerminalServices
tunnel-group TerminalServices ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 30 retry 2

tunnel-group TerminalServicesC type ipsec-ra
tunnel-group TerminalServicesC general-attributes
address-pool dhcpTerminal
default-group-policy TerminalServices
tunnel-group TerminalServicesC ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 30 retry 2

tunnel-group TS_group type ipsec-ra
tunnel-group TS_group general-attributes
address-pool TS_users_pool
authentication-server-group RADIUS
default-group-policy TS_group
tunnel-group TS_group ipsec-attributes
pre-shared-key *

sh run group-p:
group-policy TerminalServices internal
group-policy TerminalServices attributes
dns-server value
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnelACL
default-domain value
secure-unit-authentication enable
user-authentication enable
group-policy TS_group internal
group-policy TS_group attributes
banner value
dns-server value
vpn-idle-timeout 45
vpn-filter value TS_vpn_users
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall
default-domain value

The cilents are using the TS_group. Could you tell me how to debug the vpn client seesions? It appears debug crypto isakmp and debug crypto crypto ipsec both not working for this.

PS: I understand that group-policy can be inherited. Normally, only the value from cisco default policy would be inherited to customized policies?

Thanks,

Victor

Victor,

Yes, by default group-policy inherits on default policy and RA tunnel-groups inherit from default RA tunnels group.

If there are not debugs on ASA it's very strange, but maybe check if you're not running "debug crypto cond ..." from some other time? (You can do "debug crypto cond reset")

Re client debugs:

In client GUI -> Log -> Logging setting -> set everythign to "3". -> "OK" it.

Restart the client.

Logging should be enable on client side.

Marcin

Marcin,

So there seems no wrong on the confuguration? I just got another report that one user was kick out when he was using the tunnel. But haven't got chance to do debug yet.

Thanks,

Victor

Victor,

There's nothing wrong with the config that I see.

There may be some interactions with radius for example (max users setting or similar) :-)

Debug on ASA and logs from client are minimum to move forward. I will be out of office for two weeks so I might not be able to provide much input ;[

Marcin,

I got some debug infor on ASA, but the user forgot to enable logging on the client....

Jul 16 2010 16:59:31: %ASA-5-713050: Group = TS_group, Username = xxxx, IP = 15.15.15.15, Connection terminated for peer xxxxx.  Reason: Peer Terminate  Remote Proxy 192.168.250.4, Local Proxy 0.0.0.0
Jul 16 2010 16:59:32: %ASA-4-113019: Group = TS_group, Username = xxxx, IP = 15.15.15.15, Session disconnected. Session Type: IPSec, Duration: 0h:18m:35s, Bytes xmt: 208331, Bytes rcv: 1696143, Reason: User Requested

The whole seesion established for about 18 minutes and the idle time is less than 5 min, then it's disconnect.

Regards,

Victor

Victor,

OK, so we know that disconnect comes from client "Reason: Peer Terminate". (The root cause might not be on client)

Looks to me like something in the way DPDs operate.

Will a user get disconnected if you run continous ping via tunnel?

Marcin

Yes, even with continus ping, it disconnected. But I only allow RDP and DNS traffic for the tunnel, should this affect?

rgs,

Victor