12-05-2011 04:38 PM
Hello all!
Platform: cisco 887 ios 15.0(1)M4
Client: iphone4s
Easy vpn server problem connection
When iphone goes standby disconnects from vpn server. When I try to reconnect, it disconnects immediately and won't reconnect . Here’s the debug output (debug crypto isakmp error):
000336: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access5, changed state to down
000337: At ISAKMP:(2056):Could not get address from pool!
000338: ISAKMP:(2056):deleting SA reason "Fail to allocate ip address" state (R) CONF_ADDR (peer x.x.x.x)
000339: ISAKMP:FSM error - Message from AAA grp/user.
000340: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
000341: ISAKMP:(2056):deleting SA reason "Fail to allocate ip address" state (R) MM_NO_STATE (peer x.x.x.x)
000342: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_negotiating since it's already 0.
With this configuration:
aaa new-model
aaa authentication login default local
aaa authentication login ATH local
aaa authorization exec default local
aaa authorization network GRP local
aaa session-id common
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
!
crypto isakmp client configuration group VPN
key x
pool VCL
save-password
!
!
crypto isakmp profile IKE
match identity group VPN
client authentication list ATH
isakmp authorization list GRP
client configuration address respond
keepalive 10 retry 3
virtual-template 1
!
!
crypto ipsec transform-set TRS esp-aes 256 esp-sha-hmac
!
!
crypto ipsec profile SEC
set security-association idle-time 28800
set transform-set TRS
set isakmp-profile IKE
!
!
interface Virtual-Template1 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SEC
!
!
ip local pool VCL 192.168.10.1
!
Which one should I smash? Iphone or cisco? This kept me busy now over 2 weeks. Clear commands won’t do anything. I have to reset dialer 0 interface to make work. Is there any command to clear interface as soon as client disconnects from vpn? Please help
Regards
Alex
edit:
client seems to stuck when it disconnects aggressively. When i remove local pool and apply it again with the same name the address is STILL in use!!!
The address is still in use even though client have disconnected hours ago:
#show ip local pool VCL
Pool Begin End Free In use Blocked
VCL 192.168.10.1 192.168.10.1 0 1 0
Available addresses:
None
Inuse addresses:
192.168.10.1 IKE Addr IDB
Held addresses: Time Remaining
None
Pool Begin End Free In use Blocked
VCL 192.168.10.1 192.168.10.1 0 1 0
Available addresses:
None
Inuse addresses:
192.168.10.1 IKE Addr IDB
Held addresses: Time Remaining
None
any help is much appreciated
12-08-2011 12:16 PM
Hi Alex
the problem is indeed that the router only has one ip address in its pool, and when the client does not disconnect gracefully, the router does not realize it is disconnected and so the pool address remains assigned.
Hence the "Could not get address from pool!" in the debugs.
Obviously a quick&dirty workaround is to increase the size of the pool
Other than that, enabling DPD (dead peer detection) should help, try "crypto isakmp keepalive10 2" .
Note: the above command uses the most aggressive DPD timers possible - with just one client this will not be a problem but if you have dozens/hundreds/thousands then you may want to use more relaxed timers or you will kill your CPU.
hth
Herbert
Edit: just realized you already have " keepalive 10 retry 3" in your isakmp profile so not sure why that is not working... then I realized you're using an iPhone as client, and I'm not sure if the Apple client supports DPD. "debug crypto isakmp" should show this.
Another option may be to set "crypto ipsec security-association idle-time" to a low value.
12-08-2011 12:57 PM
Hello Herbert
Yes, i use only one client (iphone) for this profile to connect on my vpn. On a later post i wrote, i used this command "crypto ipsec security-association idle-time" and set it for 2 minutes. I thought that this solved the issue i had until yesterday! The same exact thing happend again!! This time i logged off from easy vpn server normaly and when i tried again i saw the same error message on the debug output!
I noticed from the command "show crypto eli" that my router allows 100 ipsec-sessions. So what i did was to log-in log off 100 times to see if that was the problem. Pathetic i know, took me over 10 mins but i wanted to see why? even though i logged off normaly why i couldn't access vpn server. Thankfully this was not the problem.
So far i don't have a clue! This is very frustrating thus i've spent many hours with no solution. Last night when this happend locked me out from my network over 10 hours until i got back home and reload the router (vpn led was off). There's no other way to get over it.
I have many issues with easy vpn client from iphone but this is the most critical for me so far. Now i've issued the command "crypto ipsec security-association idle-time 120 default" and hopefully it does something.
Finally i don't think giving more space would solve this. IPs get somehow stuck and never released no matter address space i give.
Thanx for your time
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide