Remote Access VPN Client disconnects after 1 hour

tseymour · ‎01-20-2010

Cisco VPN Client disconnects from ASA 5500 every hour with the error 'Secure VPN Connection Terminated by Peer. Reason 433: (Reason Not Specified By Peer). Running the command 'sh vpn-sessiondb detail remote' shows an IPSec time out of 60 minutes, and the connection time out left corresponds with the disconnect time.

IPSecOverNatT:
Session ID   : 2
Local Addr   : 0.0.0.0/0.0.0.0/0/0
Remote Addr : XXX.XXX.XXX.XXX/255.255.255.255/0/0
Encryption   : AES256                 Hashing      : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds          Rekey Left(T): 25817 Seconds
Conn Time Out: 60 Minutes             Conn TO Left : 10 Minutes
Bytes Tx     : 6079                   Bytes Rx     : 76993
Pkts Tx      : 33                     Pkts Rx      : 782

The error log from the ASA shows the following:

Jan 20 2010 08:55:54: %ASA-5-713050: Group = MecV, Username = simons, IP
= XX.XXX.X.XXX, Connection terminated for peer simons. Reason: IPSec SA Max t
ime exceeded Remote Proxy XXX.XX.XXX.XXX, Local Proxy 0.0.0.0
Jan 20 2010 08:55:54: %ASA-4-113019: Group = MecV, Username = domain\simons
, IP = XX.XXX.X.XXX, Session disconnected. Session Type: IPSecOverNatT, Durat
ion: 1h:00m:02s, Bytes xmt: 4592002, Bytes rcv: 36523769, Reason: Max time excee
ded

How do I change the timeout for this so the client remains connect until the idle timeout is exceeded. For now, the Group Policy MecV has been reset with unlimited idle and connection times.

snandigam · ‎01-20-2010

In ASDM, under Group Policy - Choose your Group Policy - General - More Options - There is Max Connect Time and Idle time out settings.

tseymour · ‎01-20-2010

I have already set Maximun Connect Time: and Idle Timeout: to Unlimited in Group Policy. This had no effect. The disconnect is caused by the Connection Time Out setting when looking looking at the vpn-sessiondb details of the remote clients.