Cisco VPN Client Latency Disconnects

nstahlman · ‎02-23-2005

We have several remote clients connecting to a 1720 router at our main site with the Cisco VPN Software Client. These remote clients are both being disconnected at random times.

It would appear the disconnects are being caused by latency on the Internet connection at the main site. At the time of the disconnects the latency is between 300ms and 350ms. It also appears that this latency is being cause by a high volume (but all legitament) outbound Internet traffic from the main site.

Has anyone experienced a similar problem? Is there any tuning that I can do to our router to help lower the latency or to allow the VPN clients to not be disconnected without getting a faster Internet connection?

Thanks,

Nate

mostiguy · ‎02-24-2005

You might need to look into the viability of setting up QOS on the 1720, and creating a policy that sets up vpn traffic as higher priority than other traffic

ehirsel · ‎02-25-2005

A latency of 350ms should not be high enough to cause a disconnect of vpn client sessions.

Are you implementing isakmp keepalives on the 1720? What type of log messages are generated by the head-end or by the client when the disconnect happens?

What version of IOS and client code are used, and how are the clients configured to connect? (I.E., native IKE-ESP, NAT-T over UDP or NAT-T over TCP; another name for NAT-T is transparent tunneling).

nstahlman · ‎02-25-2005

I am using the lines:

crypto isakmp keepalive 40 5

crypto isakmp nat keepalive 20

Also the VPN Server is running the 12.3.12a IOS and the clients are the Cisco VPN Client version 4.06.01.0019. These client are configured to connect to the VPN Server using NAT-T over UDP.

We the clients are disconnected I have received two different messages at different times. The first is Reason 412: The Remote Peer Is No Longer Responding. The second is Error 51: IPC socket allocation failed with error.

I do not have any of the logs available at this time to post. Let me know if any of this information helps and I can post the logs later.

Thanks,

Nate

ehirsel · ‎02-26-2005

Here is what error 51 means:

Error 51: IPC socket allocation failed with error %1h.

-------------------------------------------

Description or Action:

The VPN Client failed to create an inter-process communication socket in order to communicate with the service/daemon. VPN connections cannot be established/terminated via the GUI. Refer to Related Information for link to search on Cisco bug ID CSCed05004.

This info came from the vpn client GUI error message lookup tool found at: http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_tech_note09186a00801f253d.shtml

There could be different reasons for the 412 Reason code, but since you are also getting error 51, I believe that the 412 error is due to similar reasons.

Are all the clients that expierience the issue running the same OS level? What OS is used by the clients?

Do the clients expierience the issue often when 1st trying to connect upon OS bootup? If that is the case, then it could be that the cisco vpn serivice has not fully initialized before the user tries to connect via the GUI.

nstahlman · ‎02-26-2005

There are only 2 VPN clients and they both are running Windows 2000 Pro and are running the same previously mentioned version of the Cisco VPN Software Client.

Also, both of the clients are connecting to the VPN at logon, but the disconnects only happen after they have been using the connection for a while. All of the disconnect appear to happen when there is peak network usage at the main site which I why I suspected a latency related problem.

Also, the Error 51 only seldomly occurs. Usually the clients receive the Warning 412 when disconnected.

I don't know if this information helps or not, so please let me know.

Nate