Cisco ASA 5505 VPN Connection Stability

Having an issue where some remote users get kicked off after just a few minutes. Can not replicate this myself yet a user in florida is having this issue as is a user in Cali
vpnissue.jpg
richardjones1025Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jan SpringerCommented:
If the clients cannot reach the ASA, then they may have upstream problems with their respective providers.

Presuming that all clients use the same phase 1 and phase 2 configuration, the ASA is most likely not the problem.

If the working clients use a different configuration than the non-working clients, compare your crypto configuration and check the timeout.

Do your ASA logs show anything?
0
richardjones1025Author Commented:
The person connects fine, after a minute or two they lose connection with that error. All the logs show is them connecting and them dissconnecting
0
Jan SpringerCommented:
Are the working users and the non-working users using the exact same crypto configuration on the ASA?

Are there differences in the version of the client software between the two?

Have you run debug on a specific connection?
    term mon
    debug crypto isakmp
    debug crypto ipsec
    debug crypto engine
0
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

richardjones1025Author Commented:
thethe client laptops are just using the client program that came with the device on the host end
0
richardjones1025Author Commented:
How do you do this?
Have you run debug on a specific connection?
    term mon
    debug crypto isakmp
    debug crypto ipsec
    debug crypto engine
0
Jan SpringerCommented:
You don't.  You have one of the clients that is exhibiting a problem get ready for a connection, run those commands from command line, have the client perform the connection and then capture the debug traffic.

When you're done, from command line:
   no debug all

If you're using the GUI, there should be an option to run command line statements.  I do not like the GUI and do not use it, so I'm not much help there.

As far as the client VPN software -- all clients are running the same release of the Cisco client VPN software?  Is there any other difference, like client OS?
0
richardjones1025Author Commented:
all using XP and Cisco v.5
0
Jan SpringerCommented:
If everything is the same (you haven't indicated if the non-working clients are using the same crypto config as the working clients), then we need to see the debug of a specific connection that is terminating after 1 or 2 minutes.
0
richardjones1025Author Commented:
There is no config on there end... they are using the same client with the same user name password tunnel name and tunnel password
0
richardjones1025Author Commented:
......im working on getting the debug info
0
richardjones1025Author Commented:
Where is the term program at?

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>cd c:\

C:\>term mon
'term' is not recognized as an internal or external command,
operable program or batch file.

C:\>
0
Jan SpringerCommented:
You run these commands via the CLI on the ASA via telnet, ssh or console (if console, 'term mon' not needed).

We need to see what the ASA thinks about the connection.
0
richardjones1025Author Commented:
Here is data requested from cient end
VPNlog.txt
0
Jan SpringerCommented:
And in the client firewall are you allowing protocol 132 from the destination public IP address?
0
richardjones1025Author Commented:
should be allow any from any
0
Jan SpringerCommented:
So, does this mean that the firewall on the client is turned off?  Or turned on and everything is allowed in?
0
richardjones1025Author Commented:
off
0
Jan SpringerCommented:
Forget the protocol 132 -- that was another problem.

From the logs:

118    09:12:33.734  07/06/09  Sev=Info/4       CM/0x63100013
Phase 1 SA deleted cause by DEL_REASON_PEER_NOT_RESPONDING.  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

So, what I would do to start with is have a ping going to the destination public IP and watch to see if the ping times out when the tunnel dies.
0
richardjones1025Author Commented:
Doing it now.
Had 1 time out
Second 1
Third 1
fourth one close to third

started vpn.
Ping is now timing out all the time.
0
Jan SpringerCommented:
Can you get two tunnels going at roughly the same exact time:  one known working tunnel and one non-working tunnel.  Do the ping for both.

If the working tunnel continues to work and that ping continues to work, then the problem is with the provider of the non-working locations.
0
richardjones1025Author Commented:
ill try
0
richardjones1025Author Commented:
I started the ping, watched it for a minute or so. 97% of the pings worked maybe more.
I saw a few fail.
I started the vpn and made the connection and the ping quit working.
The vpn connection lasted 1 minute and 38 seconds and then it ended.

Somewhere in that time I lost internet and e-mail.
0
Jan SpringerCommented:
When you start the VPN, ping your VPN gateway and monitor that in conjunction with the VPN.

3% isn't bad but it isn't all that great, either.  
0
richardjones1025Author Commented:
This is the Log with the duel tunnel as instructed
VPN2.log
0
Jan SpringerCommented:
Unable to establish Phase 1 SA with server "12.236.137.68" because of "DEL_REASON_WE_FAILED_AUTH"

Failed due to authentication.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
richardjones1025Author Commented:
best answer
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.