Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2123
Views
5
Helpful
2
Replies

How to keep the VPN tunnel for unstable Internet connectivity ?

cjrchoi11
Level 1
Level 1

‎01-15-2003 10:47 AM - edited ‎02-21-2020 12:17 PM

I have a VPN3030 concentrator and VPN client 3.6.2.b and they are connected through Internet but instable the internet connectivity.

So I want to continue the end user’s application without any interruption even not working during unreachable the internet. For example, in case of have a problem for 5 minutes the internet connectivity, my end user resuming his/her application through VPN tunnel when internet connectivity restored without restarting the VPN client software. Follows our configuration.

VPN client 3.6.2.b(.pcf file)

---------------------------------

ForceKeepAlives=1

PeerTimeout=480

VPN concentrator,

----------------------

IKE keepalive=enabled.

IKE lifetime=86400

IPSec SA lifetime=28800

VPN client established to concentrator and made a continuous PING to verify the status. I removed LAN cable from LAPTOP and connect again 5 minutes later. Still the VPN client alive but cannot resuming the PING. I must restart the VPN client. The log in the concentrator shows connection terminated by user request. I tried with IKE keepalive=disabled in the concentrator but same result.

---------------------------

30559 01/15/2003 12:36:37.000 SEV=5 IKE/50 RPT=18727 64.231.118.149

Group [test_vpn_1] User [test_usr1]

Connection terminated for peer test_usr1 (Peer Terminate)

Remote Proxy x.x.x.x, Local Proxy x.x.x.x

30562 01/15/2003 12:36:37.010 SEV=5 IKE/50 RPT=18728 x.x.x.x

Group [test_vpn_1] User [test_usr1]

Connection terminated for peer test_usr1 (Peer Terminate)

Remote Proxy x.x.x.x, Local Proxy x.x.x.x

30565 01/15/2003 12:36:37.010 SEV=4 AUTH/28 RPT=13032 x.x.x.x

User [test_usr1] disconnected:

Duration: 0:23:43

Bytes xmt: 3968

Bytes rcv: 3968

Reason: User Requested

---------------------------

Please guide me how to implement this requirement.

Thanks,

Labels:
0 Helpful
2 Replies 2

d-garnett
Level 3
Level 3

‎01-15-2003 12:06 PM

it sounds like all of the keys have been deleted for that tunnel on the client. once the keys are deleted you will need to re-establish the tunnel to send secure data (restart the vpn client). why are you removing the LAN cable from the laptop? assuming that the laptop is at the remote site, removing the cable is constituting a user requested termination on the concentrator. *also enable the Log Viewer on the client to assist you. (turn all log settings from low(default) to high)

but per your question

one method is to force keepalives in the Client profile (on the client computer)

open up the Cisco folder (on the C drive, or whenever you installed the vpn client) and go into the Profiles

you will see files with the name of the connections that you made

they will be with a .pcf extension

open these up with a text editor (NOTEPAD) and go down to the line that says

ForceKeepAlives=0

change it to 1

Keepalives on the concentrator are not really "keepalives" per say, it just enables DeadPeerDetection. client and concentrator communicate every 5 secs to see if connection is still alive. if it dies you will see a message like this

621 01/15/2003 11:54:54.010 SEV=4 IKE/123 RPT=73

Group [group1] User [user]

IKE lost contact with remote peer, deleting connection (keepalive type: DPD)

623 01/15/2003 11:54:54.020 SEV=4 AUTH/27 RPT=246

User [user] disconnected:

Duration: 1:17:16

Bytes xmt: 613576

Bytes rcv: 558560

Reason: User Requested

IKE lost contact with remote peer, deleting connection (keepalive type: DPD)

in most cases this means something between the modem, line,ISP cloud to the concentrator went bad. this has been happening to me ALOT lately.

cjrchoi11
Level 1
Level 1
In response to d-garnett

‎01-15-2003 01:21 PM

Thanks, my point is how can keep the VPN session even have a problem some while in the internet connectivity. There could be not available the internet for 1 min or 3 min. for some reason. At that case, I want to just wait and continue end user’s application without restart the VPN session.

I tried my LAPTOP put on the remote site and established VPN session to concentrator. I issued a continuous PING to server which located inside of concentrator and monitoring the status while testing. Removed RJ45 cable from my LABTOP for 30 seconds and connect again. Then PING continues without restarting the VPN session. It means VPN session not terminated. But if I try removing RJ45 cable from my LABTOP for 3 minutes, cannot PING even connect again the RJ45 cable. It means VPN session terminated.

My question is how can I keep the VPN session longer (ex, 5 minutes).

0 Helpful
Customers Also Viewed These Support Documents