03-22-2011 08:42 AM
Hello everyone,
I've got a problem,We are having site-to-site VPN tunnel connected with our Client. Usuall the users connect remote virtual desktop(may be Vmware) through the L2L tunnel. The problem is that the remote desktop gets disconnect intermittently(around 4 to 5 times a day) and automatically reconnects after around 40Seconds or so. I can't find any problem with the L2L tunnel as it is showing up for the last 6 hours or so.Also there is no packet drops(RTO) when I ping the peer IP.
If anyone have any idea whats going on please let me know.
.
Thanks.
03-28-2011 04:19 AM
Hello Rooland,
This is hard to tell without further data. One possibility might be, that the ASA connection timeout, which is 1 hour by default, kicks in, if the remote virtual desktop connections within the tunnel are idle for a long time (i.e. >1 hour).
Please find further information on default timeouts on ASA and how to modify them here:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/t.html#wp1540870
As a first test, I would propose to increase the connection timeout for the remove virtual desktop connections only via MPF using the "set connection timeout idle" command as described here:
As new timeout, I would select a value larger the time after which you see connections dropping now.
Further useful commands to troubleshoot this would be "show conn" and "show local-host":
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s2.html#wp1396672
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s4.html#wp1487299
If the above doesn't help, I would recommend to open a TAC case, as we would need to look into simultaneous captures from the client, the client-side ASA and the server-side ASA plus syslogs from both ASAs next.
Regards,
Michael
03-28-2011 05:41 AM
Hi
just i want to ask if you use static or dynamic public IP address
03-28-2011 08:12 AM
Hi Michael,
Thanks for the response. I may be wrong but I think there should be no problem with connection timeout value as the problem occurs even during active work is going on.When the remote desktop connectivity is lost, there is a slight pause (a frozen desktop or delay) then pop up message "connectivity lost trying to reconnect" .
@ Reyad we are using static IP address(for the Peer IP)
Regards,
Rooland
03-29-2011 12:35 AM
Hi Rooland,
I agree, if the issue occurs even while users are actively working on the remote desktop this is very unlikely a timeout issue.
As such, we would need to look into simultaneous packet captures and syslogs from both tunnel endpoints and the client now. I would thus recommend to open a TAC case regarding this. When opening the case, please upload the following data:
Please find further information on packet captures on ASA here:
https://supportforums.cisco.com/docs/DOC-1222
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c1.html#wp2129312
If you are unsure on how to collect the captures exactly, the TAC engineer will provide further guidance.
Regards,
Michael
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide