Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11255
Views
0
Helpful
2
Replies

IPSecLAN2LAN session disconnecting Reason: Lost Service

ggabbitas
Level 1
Level 1

‎08-24-2011 10:23 PM

First off I'm not really a network administrator and this question will probably be easy for you guys! Our network admin left abruptly so that leaves me until someone is hired. My work has a VPN connection between my building and a store in another city. The VPN connection has been flawless. The ASA at the remote location was rebooted and I don't know if this brought back settings or took away settings that weren't saved to flash or if some settings were messed with before he left. Regardless, we're having problems now. The remote location has an ASA5505 and my local location has an ASA5510.

The store (remote location) is having problems connecting to the database at my location intermittetnly. They said it seems to happen when a register is left idle for a while. In the messages on my local ASDM I'm seeing the following error (the x's are the store's public IP address that I removed):

Group = xxx.xxx.x.xx, Username = xxx.xxx.x.xx, IP = xxx.xxx.x.xx, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 2h:03m:58s, Bytes xmt: 2063917, Bytes rcv: 3473139, Reason: Lost Service

From research it looks like this is caused by DPD? But it seems like DPD is only for an SSL VPN Client setup? What settings would I check to fix this disconnect problem? Keep in mind I'm a novice and I'll be doing the configuration changes in the ASDM and not command line. Thanks for any help!

Labels:
0 Helpful
2 Replies 2

ggabbitas
Level 1
Level 1

‎08-25-2011 04:45 PM

It doesn't happen if I do a continuous ping. Both of the remote locations disconnect if I don't have a continuous ping to their IP so something must have gotten changed on our local ASA5510 device. Any idea what setting I can check in the ASDM interface? Thanks!

0 Helpful

rohaverm
Level 1
Level 1
In response to ggabbitas

‎08-27-2011 12:56 AM

If you configure ISAKMP keepalives, it helps  prevent sporadically dropped LAN-to-LAN or Remote Access VPN, which  includes VPN clients, tunnels and the tunnels that are dropped after a  period of inactivity. This feature lets the tunnel endpoint monitor the  continued presence of a remote peer and report its own presence to that  peer. If the peer becomes unresponsive, the endpoint removes the  connection. In order for ISAKMP keepalives to work, both VPN endpoints  must support them.

  • Cisco PIX/ASA 7.x and later, for the tunnel group named 10.165.205.222

    securityappliance(config)#tunnel-group 10.165.205.222 
   ipsec-attributes

securityappliance(config-tunnel-ipsec)#isakmp keepalive 
   threshold 15 retry 10

In some situations, it is necessary to disable this feature in order  to solve the problem, for example, if the VPN Client is behind a  Firewall that prevents DPD packets.

Cisco PIX/ASA 7.x and later, for the tunnel group named 10.165.205.222

Disables IKE keepalive processing, which is enabled by default.

securityappliance(config)#tunnel-group 10.165.205.222 
   ipsec-attributes

securityappliance(config-tunnel-ipsec)#isakmp keepalive disable

Check the configuration of keepalives in the ASDM under "configuration>>site to site>>" section for your remote office.

0 Helpful
Customers Also Viewed These Support Documents