Solved

Cisco ASA 5505 VPN Connection Stability

Posted on 2009-07-06
26
395 Views
Last Modified: 2012-05-07
Having an issue where some remote users get kicked off after just a few minutes. Can not replicate this myself yet a user in florida is having this issue as is a user in Cali
vpnissue.jpg
0
Comment
Question by:richardjones1025
  • 15
  • 11
26 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24785686
If the clients cannot reach the ASA, then they may have upstream problems with their respective providers.

Presuming that all clients use the same phase 1 and phase 2 configuration, the ASA is most likely not the problem.

If the working clients use a different configuration than the non-working clients, compare your crypto configuration and check the timeout.

Do your ASA logs show anything?
0
 

Author Comment

by:richardjones1025
ID: 24785697
The person connects fine, after a minute or two they lose connection with that error. All the logs show is them connecting and them dissconnecting
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24785794
Are the working users and the non-working users using the exact same crypto configuration on the ASA?

Are there differences in the version of the client software between the two?

Have you run debug on a specific connection?
    term mon
    debug crypto isakmp
    debug crypto ipsec
    debug crypto engine
0
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

 

Author Comment

by:richardjones1025
ID: 24785810
thethe client laptops are just using the client program that came with the device on the host end
0
 

Author Comment

by:richardjones1025
ID: 24785813
How do you do this?
Have you run debug on a specific connection?
    term mon
    debug crypto isakmp
    debug crypto ipsec
    debug crypto engine
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24785901
You don't.  You have one of the clients that is exhibiting a problem get ready for a connection, run those commands from command line, have the client perform the connection and then capture the debug traffic.

When you're done, from command line:
   no debug all

If you're using the GUI, there should be an option to run command line statements.  I do not like the GUI and do not use it, so I'm not much help there.

As far as the client VPN software -- all clients are running the same release of the Cisco client VPN software?  Is there any other difference, like client OS?
0
 

Author Comment

by:richardjones1025
ID: 24785929
all using XP and Cisco v.5
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24786037
If everything is the same (you haven't indicated if the non-working clients are using the same crypto config as the working clients), then we need to see the debug of a specific connection that is terminating after 1 or 2 minutes.
0
 

Author Comment

by:richardjones1025
ID: 24786063
There is no config on there end... they are using the same client with the same user name password tunnel name and tunnel password
0
 

Author Comment

by:richardjones1025
ID: 24786068
......im working on getting the debug info
0
 

Author Comment

by:richardjones1025
ID: 24786453
Where is the term program at?

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>cd c:\

C:\>term mon
'term' is not recognized as an internal or external command,
operable program or batch file.

C:\>
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24786585
You run these commands via the CLI on the ASA via telnet, ssh or console (if console, 'term mon' not needed).

We need to see what the ASA thinks about the connection.
0
 

Author Comment

by:richardjones1025
ID: 24787451
Here is data requested from cient end
VPNlog.txt
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24787523
And in the client firewall are you allowing protocol 132 from the destination public IP address?
0
 

Author Comment

by:richardjones1025
ID: 24787534
should be allow any from any
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24787594
So, does this mean that the firewall on the client is turned off?  Or turned on and everything is allowed in?
0
 

Author Comment

by:richardjones1025
ID: 24787646
off
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24787814
Forget the protocol 132 -- that was another problem.

From the logs:

118    09:12:33.734  07/06/09  Sev=Info/4       CM/0x63100013
Phase 1 SA deleted cause by DEL_REASON_PEER_NOT_RESPONDING.  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

So, what I would do to start with is have a ping going to the destination public IP and watch to see if the ping times out when the tunnel dies.
0
 

Author Comment

by:richardjones1025
ID: 24788239
Doing it now.
Had 1 time out
Second 1
Third 1
fourth one close to third

started vpn.
Ping is now timing out all the time.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24788319
Can you get two tunnels going at roughly the same exact time:  one known working tunnel and one non-working tunnel.  Do the ping for both.

If the working tunnel continues to work and that ping continues to work, then the problem is with the provider of the non-working locations.
0
 

Author Comment

by:richardjones1025
ID: 24788332
ill try
0
 

Author Comment

by:richardjones1025
ID: 24788725
I started the ping, watched it for a minute or so. 97% of the pings worked maybe more.
I saw a few fail.
I started the vpn and made the connection and the ping quit working.
The vpn connection lasted 1 minute and 38 seconds and then it ended.

Somewhere in that time I lost internet and e-mail.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24788785
When you start the VPN, ping your VPN gateway and monitor that in conjunction with the VPN.

3% isn't bad but it isn't all that great, either.  
0
 

Author Comment

by:richardjones1025
ID: 24788853
This is the Log with the duel tunnel as instructed
VPN2.log
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 24788926
Unable to establish Phase 1 SA with server "12.236.137.68" because of "DEL_REASON_WE_FAILED_AUTH"

Failed due to authentication.
0
 

Author Closing Comment

by:richardjones1025
ID: 31600186
best answer
0

Featured Post

Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows 10 Pro and Dual Monitor RDP 10 50
ASA 5506 Port Forward 4 42
SSL-VPN 1 50
Mac address in Nexus7K fex port 5 13
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question