Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
981
Views
0
Helpful
5
Replies

L2TP VPN ASA5520 Frequent Disconnects

t.radan
Level 1
Level 1

‎02-04-2009 04:09 AM

I am using Microsoft Client with L2TP, Pre-Shared Secrets, on XP and Vista, to connect to an ASA5520. Remote users can connect without any problems but experience random yet frequent disconnects.

ASA log only shows session terminated by end user.

TAC has reviewed the config and all seems correct. Has anyone seen this behavior?

Labels:
0 Helpful
5 Replies 5

mchin345
Level 6
Level 6

‎02-10-2009 03:31 PM

It sounds like the pcs they are testing from are misconfigured. Both the L2TP over IPSEC and Cisco client connections use UDP/500 for the first packet. If the Cisco client is not working then UDP/500 is being blocked somewhere in the path. This means if the L2TP client is not configured correctly else if configured correctly then sending a UDP/500 packet we should be seeing it on the ASA. So please make sure you are client is configured correctly. Still you are getting problem then reset the ASA to factory default and rebuild the configuration & try it.

0 Helpful

t.radan
Level 1
Level 1
In response to mchin345

‎02-11-2009 06:19 AM

Please note that the remote clients are able to connect. I see their sessions clearly on the ASA. That is not the problem. The problem is that they can stay connected for hours, but then randomly disconnect. The disconnect happens with many different remote users, running either XP or Vista.

0 Helpful

FSieber1070
Level 1
Level 1

‎04-01-2009 10:44 PM

Hi,

we have the same issue. The of our examination was, that it was that the rekeying of IPSEC/ISAKMP occurs at the same time. Because if you have configured the both timers on a mutiple. If you configure the timers as following our test Clients work for days w/o interuption:

crypto dynamic-map xxx xx set security-association lifetime seconds 28801

crypto isakmp policy xx

lifetime 86400

0 Helpful

wstuart
Level 1
Level 1
In response to FSieber1070

‎04-13-2009 03:13 PM

Sorry, missed your reply...

Except for one thing, on ASA 8.0, you can not remove the KB timeout and the time timeout does not follow the setting.

0 Helpful

wstuart
Level 1
Level 1

‎04-13-2009 03:10 PM

Yes, and I think I have traced it down, but don't have a solution...

Whatever I set for:

security-association lifetime seconds

security-association lifetime kilobytes

The ASA negotiates to:

3600 Seconds (one hour)

250000 Kbytes

and the windows box has:

28800 Seconds (eight hours)

0 Kbytes (I assume infinite)

When the cisco box times out, it drops the connection and does not rekey.

I have not found any solution for this.

0 Helpful
Customers Also Viewed These Support Documents