VPN disconnects after lack of use... in Virtual Private Networking

VPN disconnects after lack of use... in Virtual Private Networking http://www.dslreports.com/forum/r21157482 en Wed, 11 Nov 2009 04:23:36 EDT Wed, 11 Nov 2009 04:23:36 EDT Re: VPN disconnects after lack of use... http://www.dslreports.com/forum/remark,21365952 devicemanage : I meant to update this sooner but we put the most recent vpn client on and everything seems to be ok.
--
»www.devicemanager.net]]> http://www.dslreports.com/forum/remark,21365952 Sun, 02 Nov 2008 20:05:54 EDT Re: VPN disconnects after lack of use... http://www.dslreports.com/forum/remark,21162117 tubbynet : murphy's law my friend - well...a corralary to that. i like to call it the cisco paradox, but stick in whatever manufacturer that you are working on at the time

said by Murphy's Law :

If something can go wrong it will.

said by Cisco Paradox :

If something has gone wrong, it will ultimately work for no apparent reason during the course of troubleshooting.

said by Tubby's Corollary to the Cisco Paradox :

If troubleshooting can go wrong, it will.

q.

q.]]> http://www.dslreports.com/forum/remark,21162117 Wed, 24 Sep 2008 15:53:22 EDT Re: VPN disconnects after lack of use... http://www.dslreports.com/forum/remark,21161721 devicemanage : VPN has not dropped the whole time since I read you post - unbelieveable right? I will get it as soon as it drops...
--
»www.devicemanager.net]]> http://www.dslreports.com/forum/remark,21161721 Wed, 24 Sep 2008 14:46:37 EDT Re: VPN disconnects after lack of use... http://www.dslreports.com/forum/remark,21161225 tubbynet : i understand the upgrading. i was going to suggest that if you were on the 7.x train - but going from 6.x to 7.x is a pain at times (most of the "at times" :-))

we'll see what the log says and go from there.

q.]]> http://www.dslreports.com/forum/remark,21161225 Wed, 24 Sep 2008 13:20:42 EDT Re: VPN disconnects after lack of use... http://www.dslreports.com/forum/remark,21161208 devicemanage : LOL! I hear ya man, this has even stumped the cisco engineers. They did want me to upgrade to the newer ios but it is going to be a pain because we have conduits in there and the config is a mile long. I will do it. The strangest thing is the vpn client doesn't disconnect until they go to use the application. The log says the isakmp key could not renew or something like that. But I cant understand what would cause it to stay up and connected. Our software even shows a screen as connected. But the second the user attempts to change the screen - thats when it craps out and disconnects the vpn. Freaking weird bro!
--
»www.devicemanager.net]]> http://www.dslreports.com/forum/remark,21161208 Wed, 24 Sep 2008 13:17:59 EDT Re: VPN disconnects after lack of use... http://www.dslreports.com/forum/remark,21161093 tubbynet :

said by devicemanage :
Another thing, I have many different users meaning multiple vpngroups,ip pools etc... I also have the vac card in there which is suppose to allow me 2000 connections. I might have close to 65 on it right now.

what you have is more than sufficient. i've had about 20 peers on a 506e running on a frac ds3 (like around 12meg or so i believe) as a poc for a customer. they were going to spend hella moneies upgrading their pix-es (pix-i?) to some redundant asa's but didn't have enough until the budget cycle was renewed. while the 506e was certainly moving along, it did hold. none of the vpn peers experience any real slowdown (they were on symmetric 512k lines) nor did the timeouts occur.

out of curiousity - is it the same users all the time? i'm just thinking about line noise or something causing a hiccup. additionally - if you could utilize the "logging" feature of the problem peers (clear the log, initiate the connection, then when the connection drops, post the log) so we can see what the *client* is seeing from the pix at the time of disconnect.

i'm not going to bs you - this kinda has me stumped. i'm just going to try and take you through the same process that i use when i have vpn tunnel issues like this. so bear with me and enjoy the ride.

q.]]> http://www.dslreports.com/forum/remark,21161093 Wed, 24 Sep 2008 13:01:30 EDT Re: VPN disconnects after lack of use... http://www.dslreports.com/forum/remark,21159820 devicemanage : Another thing, I have many different users meaning multiple vpngroups,ip pools etc... I also have the vac card in there which is suppose to allow me 2000 connections. I might have close to 65 on it right now. The firewall is under minimal load all day long and we do not use much bandwidth either. The aplication uses 5k transfer rate at most and I have a ds3 connection supporting it.
--
»www.devicemanager.net]]> http://www.dslreports.com/forum/remark,21159820 Wed, 24 Sep 2008 09:26:52 EDT Re: VPN disconnects after lack of use... http://www.dslreports.com/forum/remark,21159363 devicemanage : I am doing that now but I am still hearing about complaints. It worked for me in house testing but for some reason users don't see it that way.]]> http://www.dslreports.com/forum/remark,21159363 Wed, 24 Sep 2008 07:01:59 EDT Re: VPN disconnects after lack of use... http://www.dslreports.com/forum/remark,21158637 tubbynet : everything looks good...
i thought i read something somewhere about having the max-time and idle-time the same can cause issues, but i can't remember what version that was listed for.

out of curiousity - if you run a constant ping to a device across the vpn from the remote endpoint, does it still drop off?

q.]]> http://www.dslreports.com/forum/remark,21158637 Tue, 23 Sep 2008 23:34:49 EDT Re: VPN disconnects after lack of use... http://www.dslreports.com/forum/remark,21157980 devicemanage : ios is 6.3(5)

here's the configs - if you need the acl's let me know.

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup township_VPN address-pool township_VPNPOOL
vpngroup township_VPN dns-server 192.168.100.15 192.168.100.16
vpngroup township_VPN default-domain township
vpngroup township_VPN split-tunnel township_VPN_splitTunnelAcl
vpngroup township_VPN idle-time 86400
vpngroup township_VPN max-time 86400
vpngroup township_VPN password ********
--
»www.devicemanager.net]]> http://www.dslreports.com/forum/remark,21157980 Tue, 23 Sep 2008 21:22:55 EDT Re: VPN disconnects after lack of use... http://www.dslreports.com/forum/remark,21157822 tubbynet : can you post the relevant parts of the config? maybe the os version of your 515?

q.]]> http://www.dslreports.com/forum/remark,21157822 Tue, 23 Sep 2008 20:52:03 EDT VPN disconnects after lack of use... http://www.dslreports.com/forum/remark,21157482 devicemanage : We currently run a cisco vpn client to our pix515e, we have split tunneling enabled and the timeouts set to maximum. Thru the vpn we run a telnet 3270 connection that connects to a host integration server that manages terminal numbers for our main frame via sna. We noticed that with out any rhyme or reason connections would disconnect, but this is how it happens...

The user will leave the workstation dormant for lets say a hour or so, when they come back the connection is still connected and right where they left it. When they attempt to say return to the main screen the system will freeze, disconnect the terminal session and then drop the vpn connection. While the system is freezing I have observed that internet is still available to the user. If they reconnect the vpn and then launch our application, all is well.

We are using the latest vpn client and have tried every version without any success. Im sure there arent many host integration users out there, but maybe this might be the best place for this.
--
»www.devicemanager.net]]> http://www.dslreports.com/forum/remark,21157482 Tue, 23 Sep 2008 19:53:14 EDT