Hi VPN Experts, I've recently moved a large (well, to me large) number of users to Cisco VPN using an ASA 5540 and AnyConnect. This group of users, (around 250) are all successful with two exceptions, and they are weird issues.
One user, connects just fine, can access all resources, but when running SAP, even though inactive in SAP but active in other VPN traffic, she periodically (randomly) disconnects from SAP, with the error of failed network connection. We have verified this does not happen on the old VPN, and we've timed it carefully, and the timing is random (sometimes 12 minutes, sometimes 63 minutes and everything in between). We've diagnosed and re-installed everything on her machine, yet this continues to happen. There are no disconnects on the VPN client, which would indicate an ISP problem, and I'm really stumped on what to try on this one... any ideas?
The other is possibly an ISP problem, but we're seeing one customer who uses the Cisco VPN and has frequent random disconnects, when the disconnect occurs he cannot access any network resources. He did not see this behavior with the old VPN client (AT&T) but this could be indicative of a sensitive ISP connection, do you agree? I'm thinking his internet connection has minor drops, and the Cisco client is very sensitive to it... it will reconnect but is there a way to lower the sensitivity to dropped packets a little for him? Or is this a universal setting?
Thanks in advance,
For first problem, you need a sniffer trace.
SAP used to rely on TCP keepalives to see which session are active or not.
There were some odd scenarios in which some devices would stupid responding to keeplaives "after some time"
Now to be honest I'm not aware of how changing client can cause this, but I would look at network level - see what's happening during disconnect, maybe it's just a question of disabling something or insreasing timers. Hard to say without more data ;]
It would be also good to know whether you're using SSL or DTLS.
2nd - Our VPN clients, be it anyconnect or old VPN client, are using DPDs so yes it could be that client could be affected more. For AC, You can try relaxing DPD and keepalive timers on ASA.
However the defaults are very decent, hardly anybody needs to adjust them.
Maybe it's something to be evaluated by ISP?
On the first one, still stumped... not sure I can affect settings like that, the SAP servers are pretty old and I have no control over them, so I'll ask but hard to say.
The second issue, I agree, the ISP needs involved, but being that the user is remote... difficult for me to engage them. I agree I shouldn't need to adjust DPD or keepalives, actually already tried the keepalives, made no difference.
I'll keep looking, if anyone else has any other ideas, feel free to pass along.
No solution has been found. The ISP has been ruled out. The only thing remaining is a potentially bad Windows install or a problem that recurs when installing the Cisco VPN. I've upgraded to the latest VPN Client and still no change.