Solved

Cisco ASA 5505 VPN Connection Stability

Posted on 2009-07-06
26
393 Views
Last Modified: 2012-05-07
Having an issue where some remote users get kicked off after just a few minutes. Can not replicate this myself yet a user in florida is having this issue as is a user in Cali
vpnissue.jpg
0
Comment
Question by:richardjones1025
  • 15
  • 11
26 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24785686
If the clients cannot reach the ASA, then they may have upstream problems with their respective providers.

Presuming that all clients use the same phase 1 and phase 2 configuration, the ASA is most likely not the problem.

If the working clients use a different configuration than the non-working clients, compare your crypto configuration and check the timeout.

Do your ASA logs show anything?
0
 

Author Comment

by:richardjones1025
ID: 24785697
The person connects fine, after a minute or two they lose connection with that error. All the logs show is them connecting and them dissconnecting
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24785794
Are the working users and the non-working users using the exact same crypto configuration on the ASA?

Are there differences in the version of the client software between the two?

Have you run debug on a specific connection?
    term mon
    debug crypto isakmp
    debug crypto ipsec
    debug crypto engine
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:richardjones1025
ID: 24785810
thethe client laptops are just using the client program that came with the device on the host end
0
 

Author Comment

by:richardjones1025
ID: 24785813
How do you do this?
Have you run debug on a specific connection?
    term mon
    debug crypto isakmp
    debug crypto ipsec
    debug crypto engine
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24785901
You don't.  You have one of the clients that is exhibiting a problem get ready for a connection, run those commands from command line, have the client perform the connection and then capture the debug traffic.

When you're done, from command line:
   no debug all

If you're using the GUI, there should be an option to run command line statements.  I do not like the GUI and do not use it, so I'm not much help there.

As far as the client VPN software -- all clients are running the same release of the Cisco client VPN software?  Is there any other difference, like client OS?
0
 

Author Comment

by:richardjones1025
ID: 24785929
all using XP and Cisco v.5
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24786037
If everything is the same (you haven't indicated if the non-working clients are using the same crypto config as the working clients), then we need to see the debug of a specific connection that is terminating after 1 or 2 minutes.
0
 

Author Comment

by:richardjones1025
ID: 24786063
There is no config on there end... they are using the same client with the same user name password tunnel name and tunnel password
0
 

Author Comment

by:richardjones1025
ID: 24786068
......im working on getting the debug info
0
 

Author Comment

by:richardjones1025
ID: 24786453
Where is the term program at?

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>cd c:\

C:\>term mon
'term' is not recognized as an internal or external command,
operable program or batch file.

C:\>
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24786585
You run these commands via the CLI on the ASA via telnet, ssh or console (if console, 'term mon' not needed).

We need to see what the ASA thinks about the connection.
0
 

Author Comment

by:richardjones1025
ID: 24787451
Here is data requested from cient end
VPNlog.txt
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24787523
And in the client firewall are you allowing protocol 132 from the destination public IP address?
0
 

Author Comment

by:richardjones1025
ID: 24787534
should be allow any from any
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24787594
So, does this mean that the firewall on the client is turned off?  Or turned on and everything is allowed in?
0
 

Author Comment

by:richardjones1025
ID: 24787646
off
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24787814
Forget the protocol 132 -- that was another problem.

From the logs:

118    09:12:33.734  07/06/09  Sev=Info/4       CM/0x63100013
Phase 1 SA deleted cause by DEL_REASON_PEER_NOT_RESPONDING.  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

So, what I would do to start with is have a ping going to the destination public IP and watch to see if the ping times out when the tunnel dies.
0
 

Author Comment

by:richardjones1025
ID: 24788239
Doing it now.
Had 1 time out
Second 1
Third 1
fourth one close to third

started vpn.
Ping is now timing out all the time.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24788319
Can you get two tunnels going at roughly the same exact time:  one known working tunnel and one non-working tunnel.  Do the ping for both.

If the working tunnel continues to work and that ping continues to work, then the problem is with the provider of the non-working locations.
0
 

Author Comment

by:richardjones1025
ID: 24788332
ill try
0
 

Author Comment

by:richardjones1025
ID: 24788725
I started the ping, watched it for a minute or so. 97% of the pings worked maybe more.
I saw a few fail.
I started the vpn and made the connection and the ping quit working.
The vpn connection lasted 1 minute and 38 seconds and then it ended.

Somewhere in that time I lost internet and e-mail.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24788785
When you start the VPN, ping your VPN gateway and monitor that in conjunction with the VPN.

3% isn't bad but it isn't all that great, either.  
0
 

Author Comment

by:richardjones1025
ID: 24788853
This is the Log with the duel tunnel as instructed
VPN2.log
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 24788926
Unable to establish Phase 1 SA with server "12.236.137.68" because of "DEL_REASON_WE_FAILED_AUTH"

Failed due to authentication.
0
 

Author Closing Comment

by:richardjones1025
ID: 31600186
best answer
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
BGP routing on Windows 2016 7 55
Confused about VPN connection and private IP addresses..?? 5 60
Dedicated I.P., VPN, both, neither, or what? 12 42
AWS Design\Cisco Meraki 4 23
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question