Solved

Cisco ASA 5505 VPN Connection Stability

Posted on 2009-07-06
26
391 Views
Last Modified: 2012-05-07
Having an issue where some remote users get kicked off after just a few minutes. Can not replicate this myself yet a user in florida is having this issue as is a user in Cali
vpnissue.jpg
0
Comment
Question by:richardjones1025
  • 15
  • 11
26 Comments
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
If the clients cannot reach the ASA, then they may have upstream problems with their respective providers.

Presuming that all clients use the same phase 1 and phase 2 configuration, the ASA is most likely not the problem.

If the working clients use a different configuration than the non-working clients, compare your crypto configuration and check the timeout.

Do your ASA logs show anything?
0
 

Author Comment

by:richardjones1025
Comment Utility
The person connects fine, after a minute or two they lose connection with that error. All the logs show is them connecting and them dissconnecting
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
Are the working users and the non-working users using the exact same crypto configuration on the ASA?

Are there differences in the version of the client software between the two?

Have you run debug on a specific connection?
    term mon
    debug crypto isakmp
    debug crypto ipsec
    debug crypto engine
0
 

Author Comment

by:richardjones1025
Comment Utility
thethe client laptops are just using the client program that came with the device on the host end
0
 

Author Comment

by:richardjones1025
Comment Utility
How do you do this?
Have you run debug on a specific connection?
    term mon
    debug crypto isakmp
    debug crypto ipsec
    debug crypto engine
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
You don't.  You have one of the clients that is exhibiting a problem get ready for a connection, run those commands from command line, have the client perform the connection and then capture the debug traffic.

When you're done, from command line:
   no debug all

If you're using the GUI, there should be an option to run command line statements.  I do not like the GUI and do not use it, so I'm not much help there.

As far as the client VPN software -- all clients are running the same release of the Cisco client VPN software?  Is there any other difference, like client OS?
0
 

Author Comment

by:richardjones1025
Comment Utility
all using XP and Cisco v.5
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
If everything is the same (you haven't indicated if the non-working clients are using the same crypto config as the working clients), then we need to see the debug of a specific connection that is terminating after 1 or 2 minutes.
0
 

Author Comment

by:richardjones1025
Comment Utility
There is no config on there end... they are using the same client with the same user name password tunnel name and tunnel password
0
 

Author Comment

by:richardjones1025
Comment Utility
......im working on getting the debug info
0
 

Author Comment

by:richardjones1025
Comment Utility
Where is the term program at?

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>cd c:\

C:\>term mon
'term' is not recognized as an internal or external command,
operable program or batch file.

C:\>
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
You run these commands via the CLI on the ASA via telnet, ssh or console (if console, 'term mon' not needed).

We need to see what the ASA thinks about the connection.
0
 

Author Comment

by:richardjones1025
Comment Utility
Here is data requested from cient end
VPNlog.txt
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
And in the client firewall are you allowing protocol 132 from the destination public IP address?
0
 

Author Comment

by:richardjones1025
Comment Utility
should be allow any from any
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
So, does this mean that the firewall on the client is turned off?  Or turned on and everything is allowed in?
0
 

Author Comment

by:richardjones1025
Comment Utility
off
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
Forget the protocol 132 -- that was another problem.

From the logs:

118    09:12:33.734  07/06/09  Sev=Info/4       CM/0x63100013
Phase 1 SA deleted cause by DEL_REASON_PEER_NOT_RESPONDING.  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

So, what I would do to start with is have a ping going to the destination public IP and watch to see if the ping times out when the tunnel dies.
0
 

Author Comment

by:richardjones1025
Comment Utility
Doing it now.
Had 1 time out
Second 1
Third 1
fourth one close to third

started vpn.
Ping is now timing out all the time.
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
Can you get two tunnels going at roughly the same exact time:  one known working tunnel and one non-working tunnel.  Do the ping for both.

If the working tunnel continues to work and that ping continues to work, then the problem is with the provider of the non-working locations.
0
 

Author Comment

by:richardjones1025
Comment Utility
ill try
0
 

Author Comment

by:richardjones1025
Comment Utility
I started the ping, watched it for a minute or so. 97% of the pings worked maybe more.
I saw a few fail.
I started the vpn and made the connection and the ping quit working.
The vpn connection lasted 1 minute and 38 seconds and then it ended.

Somewhere in that time I lost internet and e-mail.
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
When you start the VPN, ping your VPN gateway and monitor that in conjunction with the VPN.

3% isn't bad but it isn't all that great, either.  
0
 

Author Comment

by:richardjones1025
Comment Utility
This is the Log with the duel tunnel as instructed
VPN2.log
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
Comment Utility
Unable to establish Phase 1 SA with server "12.236.137.68" because of "DEL_REASON_WE_FAILED_AUTH"

Failed due to authentication.
0
 

Author Closing Comment

by:richardjones1025
Comment Utility
best answer
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now