Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5518
Views
0
Helpful
2
Replies

client won't disconnect!

alexbak79
Level 1
Level 1

‎12-05-2011 04:38 PM

Hello all!

Platform: cisco 887 ios 15.0(1)M4

Client: iphone4s

Easy vpn server problem connection

When iphone goes standby disconnects from vpn server. When I try to reconnect, it disconnects immediately and won't reconnect . Here’s the debug output (debug crypto isakmp error):

000336: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access5, changed state to down

000337: At ISAKMP:(2056):Could not get address from pool!

000338: ISAKMP:(2056):deleting SA reason "Fail to allocate ip address" state (R) CONF_ADDR     (peer x.x.x.x)

000339: ISAKMP:FSM error - Message from AAA grp/user.

000340: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.

000341: ISAKMP:(2056):deleting SA reason "Fail to allocate ip address" state (R) MM_NO_STATE (peer x.x.x.x)

000342: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_negotiating since it's already 0.

With this configuration:

aaa new-model

aaa authentication login default local

aaa authentication login ATH local

aaa authorization exec default local

aaa authorization network GRP local

aaa session-id common

!

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

!

!

crypto isakmp client configuration group VPN

key x

pool VCL

save-password

!

!

crypto isakmp profile IKE

   match identity group VPN

   client authentication list ATH

   isakmp authorization list GRP

   client configuration address respond

   keepalive 10 retry 3

   virtual-template 1

!

!

crypto ipsec transform-set TRS esp-aes 256 esp-sha-hmac

!

!

crypto ipsec profile SEC

set security-association idle-time 28800

set transform-set TRS

set isakmp-profile IKE

!

!

interface Virtual-Template1 type tunnel

ip unnumbered Dialer0

tunnel mode ipsec ipv4

tunnel protection ipsec profile SEC

!

!

ip local pool VCL 192.168.10.1

!

Which one should I smash? Iphone or cisco? This kept me busy now over 2 weeks. Clear commands won’t do anything. I have to reset dialer 0 interface to make work. Is there any command to clear interface as soon as client disconnects from vpn? Please help

Regards

Alex

edit:

client seems to stuck when it disconnects aggressively. When i remove local pool and apply it again with the same name the address is STILL in use!!!

The address is still in use even though client have disconnected hours ago:

#show ip local pool VCL

Pool                     Begin           End             Free  In use   Blocked

VCL               192.168.10.1    192.168.10.1       0       1       0

Available addresses:

     None

Inuse addresses:

   192.168.10.1       IKE Addr IDB

Held addresses:    Time Remaining

     None

Pool                     Begin           End             Free  In use   Blocked

VCL              192.168.10.1    192.168.10.1       0       1       0

Available addresses:

     None

Inuse addresses:

   192.168.10.1       IKE Addr IDB

Held addresses:    Time Remaining

     None

any help is much appreciated

Labels:
0 Helpful
2 Replies 2

Herbert Baerten
Cisco Employee
Cisco Employee

‎12-08-2011 12:16 PM

Hi Alex

the problem is indeed that the router only has one ip address in its pool, and when the client does not disconnect gracefully, the router does not realize it is disconnected and so the pool address remains assigned.

Hence the "Could not get address from pool!" in the debugs.

Obviously a quick&dirty workaround is to increase the size of the pool

Other than that, enabling DPD (dead peer detection) should help, try "crypto isakmp keepalive10 2" .

Note: the above command uses the most aggressive DPD timers possible - with just one client this will not be a problem but if you have dozens/hundreds/thousands then you may want to use more relaxed timers or you will kill your CPU.

hth

Herbert

Edit: just realized you already have "   keepalive 10 retry 3" in your isakmp profile so not sure why that is not working... then I realized you're using an iPhone as client, and I'm not sure if the Apple client supports DPD. "debug crypto isakmp" should show this.

Another option may be to set "crypto ipsec security-association idle-time" to a low value.

0 Helpful

alexbak79
Level 1
Level 1
In response to Herbert Baerten

‎12-08-2011 12:57 PM

Hello Herbert

Yes, i use only one client (iphone) for this profile to connect on my vpn. On a later post i wrote, i used this command "crypto ipsec security-association idle-time" and set it for 2 minutes. I thought that this solved the issue i had until yesterday! The same exact thing happend again!! This time i logged off from easy vpn server normaly and when i tried again i saw the same error message on the debug output!

I noticed from the command "show crypto eli" that my router allows 100 ipsec-sessions. So what i did was to log-in log off 100 times to see if that was the problem. Pathetic i know, took me over 10 mins but i wanted to see why? even though i logged off normaly why i couldn't access vpn server. Thankfully this was not the problem.

So far i don't have a clue! This is very frustrating thus i've spent many hours with no solution. Last night when this happend locked me out from my network over 10 hours until i got back home and reload the router (vpn led was off). There's no other way to get over it.

I have many issues with easy vpn client from iphone but this is the most critical for me so far. Now i've issued the command "crypto ipsec security-association idle-time 120 default" and hopefully it does something.

Finally i don't think giving more space would solve this. IPs get somehow stuck and never released no matter address space i give.

Thanx for your time

0 Helpful
Customers Also Viewed These Support Documents