11-17-2011 08:56 PM - edited 02-21-2020 05:42 PM
Have a few users on Vista/7 using Windows L2TP to connect to our ASA5510. It is reported that after a few hours the connection drops. From what I have seen this can be anywhere around 5-6 hours. Of course my connection will drop after an amount of time has passed and no traffic has passed the tunnel. But the users are adament that this drops during large transfers; i.e. not a timeout issue.
Before I spend anymore time on this I just want to know if this is normal behavior for a remote access L2TP using Windows to disconnect on it's own after this amount of time. Never had a reason myself to remain connected that long, and when I did I used a site 2 site tunnel.
11-18-2011 11:15 AM
Below is a sample log of the time when disconnects occur, I highlighted in bold the problem area.
vpn-7-715046: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, constructing IPSec SA payload
vpn-7-715046: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, constructing IPSec nonce payload
vpn-7-715001: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, constructing proxy ID
vpn-7-713906: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, Transmitting Proxy Id: Remote host: 76.17.XX.XX Protocol 17 Port 0 Local host: 216.XX.XXX.XXX Protocol 17 Port 1701
vpn-7-715046: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, constructing NAT-Original-Address payload
vpn-7-713171: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, NAT-Traversal sending NAT-Original-Address payload
vpn-7-715046: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, constructing qm hash payload
vpn-7-714005: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, IKE Responder sending 2nd QM pkt: msg id = 00000017
vpn-7-713236: IP = 76.17.XX.XX, IKE_DECODE SENDING Message (msgid=17) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NAT-OA (131) + NONE (0) total length : 172
vpn-7-713236: IP = 76.17.XX.XX, IKE_DECODE RECEIVED Message (msgid=958052a1) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
vpn-7-715047: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, processing hash payload
vpn-7-713906: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, processing delete
vpn-7-713170: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, IKE Received delete for rekeyed centry IKE peer: 76.17.XX.XX, centry addr: ad03bb38, msgid: 0x00000016
vpn-7-713906: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, L2TP/IPSec: Ignoring delete to a rekeyed centry (msgid=16)
vpn-7-713236: IP = 76.17.XX.XX, IKE_DECODE RECEIVED Message (msgid=17) with payloads : HDR + HASH (8) + NONE (0) total length : 52
vpn-7-715047: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, processing hash payload
vpn-7-713906: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, loading all IPSEC SAs
vpn-7-715001: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, Generating Quick Mode Key!
vpn-7-715001: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, Generating Quick Mode Key!
vpn-5-713049: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, Security negotiation complete for User (sam5510) Responder, Inbound SPI = 0xc8ed80c2, Outbound SPI = 0xe007e1fd
vpn-6-602303: IPSEC: An outbound remote access SA (SPI= 0xE007E1FD) between 216.XX.XXX.XXX and 76.17.XX.XX (user= sam5510) has been created.
vpn-7-715007: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, IKE got a KEY_ADD msg for SA: SPI = 0xe007e1fd
vpn-6-602303: IPSEC: An inbound remote access SA (SPI= 0xC8ED80C2) between 216.XX.XXX.XXX and 76.17.XX.XX (user= sam5510) has been created.
vpn-7-715077: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, Pitcher: received KEY_UPDATE, spi 0xc8ed80c2
vpn-7-715080: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, Starting P2 rekey timer: 3420 seconds.
vpn-5-713120: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, PHASE 2 COMPLETED (msgid=00000017)
vpn-7-713906: IKEQM_Active() Add L2TP classification rules: ip <76.17.XX.XX> mask <0xFFFFFFFF> port <4500>
vpn-7-715077: Pitcher: received KEY_SA_ACTIVE, spi 0xc8ed80c2
vpn-7-713906: KEY_SA_ACTIVE old rekey centry found with new spi 0xc8ed80c2
vpn-7-713906: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, sending delete/delete with reason message
vpn-7-715046: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, constructing blank hash payload
vpn-7-715046: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, constructing IPSec delete payload
vpn-7-715046: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, constructing qm hash payload
vpn-7-713236: IP = 76.17.XX.XX, IKE_DECODE SENDING Message (msgid=d84b3b70) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
vpn-7-713906: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, Active unit activates new SA for remote peer 76.17.XX.XX.
vpn-7-715009: Group = DefaultRAGroup, Username = sam5510, IP = 76.17.XX.XX, IKE Deleting SA: Remote Proxy 76.17.XX.XX, Local Proxy 216.XX.XXX.XXX
vpn-6-602304: IPSEC: An outbound remote access SA (SPI= 0xFD65F940) between 216.XX.XXX.XXX and 76.17.XX.XX (user= sam5510) has been deleted.
vpn-6-602304: IPSEC: An inbound remote access SA (SPI= 0xB2891595) between 216.XX.XXX.XXX and 76.17.XX.XX (user= sam5510) has been deleted.
vpn-7-715077: Pitcher: received key delete msg, spi 0xb2891595
vpn-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from 76.17.XX.XX:4500
06-29-2012 07:17 AM
I too am having this issue. Win7 clients connect to an asa 5510 get disconnected after 5-6 hours. I have an open ticket with cisco and am working on a resolution. Yesterday it was said by cisco that the l2tp rekey timer was shorter than the ipsec rekey timer. He reconfigured the timer, which disconnected the 11 people that were connected, but about six hours later the clients disconnected and had trouble reconnecting. We allowed remote connects from the inside interface and connected a win7 machine and it had remained connected for 18 hours. I have found that the cisco client will remain connected as long as you want. The difference in the two connections are the windows client connects as L2TPoverIPSECoverNatT and the cisco client connects with just IPSECoverNatT. I need to get this resolved one way or another. I am going to open a case with microsoft this morning.
08-29-2018 01:55 PM
Was this issue ever resolved? If so please post some comments on the solution.
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide