Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
465
Views
0
Helpful
3
Replies

VPN Client to PIX

jmaestrale
Level 1
Level 1

‎08-13-2002 05:56 AM - edited ‎02-21-2020 11:59 AM

Does anyone know if there is a problem with long term vpn connection to the PIX with the vpn client. Users can stay connected (over dsl or cable) for a few hours then get bumped. Also at what interval do the reapers messages get sent out, and how many can you miss before the tunnel is torn down.

Thanks

Labels:
0 Helpful
3 Replies 3

awaheed
Cisco Employee
Cisco Employee

‎08-20-2002 01:41 PM

Hi,

I think it might just be a case of the clients going past the idle timeout value, you can set this on the PIX configuration for them not to timeout by setting the value to 0. Additionally anything above v6.x on the PIX will have the DPD messages between the two sides, and missing 5 DPD's will cuase the connection to be terminated.

Hope this helps,

Regards,

Aamir

-=-

0 Helpful

chris.bodnar
Level 1
Level 1

‎09-08-2002 10:28 AM

I'm not sure this is your exact problem but it may help. I found this in the Release Notes for Cisco VPN Client for Windows release 3.5.1 page 9.

Just do a Find File on *.pfc to do find the file mentioned below.

Allowing the VPN Client to Work Through ESP-Aware NAT/Firewalls

When using the VPN Client behind an ESP-aware NAT/Firewall, the port on the

NAT/Firewall device may be closed due to the VPN Client’s keepalive

implementation, called DPD (Dead Peer Detection). When a Client is idle, it does

not send a keepalive until it sends data and gets no response.

To allow the VPN Client to work through ESP-aware NAT/Firewalls, add the

following parameter and setting to the [Main] section of any *.pcf (profile

configuration file) for the affected connection profile.

ForceKeepAlives=1

This parameter enables IKE and ESP keepalives for the connection at

approximately 20 second intervals.

For more information, see “Connection Profile Configuration Parameters” in the

VPN Client Administrator Guide.

0 Helpful

chlovell
Level 1
Level 1
In response to chris.bodnar

‎09-10-2002 09:40 AM

on the client machine do a search for *.pcf and bring up that file and at the bottom where it says forcekeepalives set that to 1 and then when you have the client vpn dialer up go to options and properties and set the peer response timeout to 480

0 Helpful
Customers Also Viewed These Support Documents