I've got a problem,We are having site-to-site VPN tunnel connected with our Client. Usuall the users connect remote virtual desktop(may be Vmware) through the L2L tunnel. The problem is that the remote desktop gets disconnect intermittently(around 4 to 5 times a day) and automatically reconnects after around 40Seconds or so. I can't find any problem with the L2L tunnel as it is showing up for the last 6 hours or so.Also there is no packet drops(RTO) when I ping the peer IP.
If anyone have any idea whats going on please let me know.
This is hard to tell without further data. One possibility might be, that the ASA connection timeout, which is 1 hour by default, kicks in, if the remote virtual desktop connections within the tunnel are idle for a long time (i.e. >1 hour).
Please find further information on default timeouts on ASA and how to modify them here:
As a first test, I would propose to increase the connection timeout for the remove virtual desktop connections only via MPF using the "set connection timeout idle" command as described here:
As new timeout, I would select a value larger the time after which you see connections dropping now.
Further useful commands to troubleshoot this would be "show conn" and "show local-host":
If the above doesn't help, I would recommend to open a TAC case, as we would need to look into simultaneous captures from the client, the client-side ASA and the server-side ASA plus syslogs from both ASAs next.
Thanks for the response. I may be wrong but I think there should be no problem with connection timeout value as the problem occurs even during active work is going on.When the remote desktop connectivity is lost, there is a slight pause (a frozen desktop or delay) then pop up message "connectivity lost trying to reconnect" .
@ Reyad we are using static IP address(for the Peer IP)
I agree, if the issue occurs even while users are actively working on the remote desktop this is very unlikely a timeout issue.
As such, we would need to look into simultaneous packet captures and syslogs from both tunnel endpoints and the client now. I would thus recommend to open a TAC case regarding this. When opening the case, please upload the following data:
Please find further information on packet captures on ASA here:
If you are unsure on how to collect the captures exactly, the TAC engineer will provide further guidance.