Re: VPN Client + IPSEC disconnection

ROBERT CROOKS · ‎09-04-2002

I am having trouble diagnosing (or even understanding why it happens) a software VPN IPSEC disconnection problem to a PIX 515. I have several (20) salesmen roaming about using the latest VPN client 3.5.x, and when they use dialup, they get an IPSEC disconnection error. It could happen once during a session, or 10 times. People using the same client over a broadband connection get the same error, but not as often, or not at all. The first thing that I thought was that the dialup connection was being dropped, but it never does. I have split-tunneling enabled on the connections. Has anyone else seen this situation? Could someone point me to where I should start looking? The strange thing is that IPSEC could be dropped at the beginning of a session, or 10 minutes after the tunnel has been established. I'm stunned.

Thanks

chris.bodnar · ‎09-08-2002

You may want to tell the client to try this, assuming they are using Cisco VPN Clients for Windows:

Allowing the VPN Client to Work Through ESP-Aware NAT/Firewalls

When using the VPN Client behind an ESP-aware NAT/Firewall, the port on the

NAT/Firewall device may be closed due to the VPN Client’s keepalive

implementation, called DPD (Dead Peer Detection). When a Client is idle, it does

not send a keepalive until it sends data and gets no response.

To allow the VPN Client to work through ESP-aware NAT/Firewalls, add the

following parameter and setting to the [Main] section of any *.pcf (profile

configuration file) for the affected connection profile.

ForceKeepAlives=1

This parameter enables IKE and ESP keepalives for the connection at

approximately 20 second intervals.

For more information, see “Connection Profile Configuration Parameters” in the

VPN Client Administrator Guide.