We help IT Professionals succeed at work.

Cisco ASA 5505 VPN Connection Stability

richardjones1025
on
429 Views
Last Modified: 2012-05-07
Having an issue where some remote users get kicked off after just a few minutes. Can not replicate this myself yet a user in florida is having this issue as is a user in Cali
vpnissue.jpg
Comment
Watch Question

CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
If the clients cannot reach the ASA, then they may have upstream problems with their respective providers.

Presuming that all clients use the same phase 1 and phase 2 configuration, the ASA is most likely not the problem.

If the working clients use a different configuration than the non-working clients, compare your crypto configuration and check the timeout.

Do your ASA logs show anything?

Author

Commented:
The person connects fine, after a minute or two they lose connection with that error. All the logs show is them connecting and them dissconnecting
CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
Are the working users and the non-working users using the exact same crypto configuration on the ASA?

Are there differences in the version of the client software between the two?

Have you run debug on a specific connection?
    term mon
    debug crypto isakmp
    debug crypto ipsec
    debug crypto engine

Author

Commented:
thethe client laptops are just using the client program that came with the device on the host end

Author

Commented:
How do you do this?
Have you run debug on a specific connection?
    term mon
    debug crypto isakmp
    debug crypto ipsec
    debug crypto engine
CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
You don't.  You have one of the clients that is exhibiting a problem get ready for a connection, run those commands from command line, have the client perform the connection and then capture the debug traffic.

When you're done, from command line:
   no debug all

If you're using the GUI, there should be an option to run command line statements.  I do not like the GUI and do not use it, so I'm not much help there.

As far as the client VPN software -- all clients are running the same release of the Cisco client VPN software?  Is there any other difference, like client OS?

Author

Commented:
all using XP and Cisco v.5
CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
If everything is the same (you haven't indicated if the non-working clients are using the same crypto config as the working clients), then we need to see the debug of a specific connection that is terminating after 1 or 2 minutes.

Author

Commented:
There is no config on there end... they are using the same client with the same user name password tunnel name and tunnel password

Author

Commented:
......im working on getting the debug info

Author

Commented:
Where is the term program at?

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>cd c:\

C:\>term mon
'term' is not recognized as an internal or external command,
operable program or batch file.

C:\>
CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
You run these commands via the CLI on the ASA via telnet, ssh or console (if console, 'term mon' not needed).

We need to see what the ASA thinks about the connection.

Author

Commented:
Here is data requested from cient end
VPNlog.txt
CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
And in the client firewall are you allowing protocol 132 from the destination public IP address?

Author

Commented:
should be allow any from any
CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
So, does this mean that the firewall on the client is turned off?  Or turned on and everything is allowed in?

Author

Commented:
off
CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
Forget the protocol 132 -- that was another problem.

From the logs:

118    09:12:33.734  07/06/09  Sev=Info/4       CM/0x63100013
Phase 1 SA deleted cause by DEL_REASON_PEER_NOT_RESPONDING.  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

So, what I would do to start with is have a ping going to the destination public IP and watch to see if the ping times out when the tunnel dies.

Author

Commented:
Doing it now.
Had 1 time out
Second 1
Third 1
fourth one close to third

started vpn.
Ping is now timing out all the time.
CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
Can you get two tunnels going at roughly the same exact time:  one known working tunnel and one non-working tunnel.  Do the ping for both.

If the working tunnel continues to work and that ping continues to work, then the problem is with the provider of the non-working locations.

Author

Commented:
ill try

Author

Commented:
I started the ping, watched it for a minute or so. 97% of the pings worked maybe more.
I saw a few fail.
I started the vpn and made the connection and the ping quit working.
The vpn connection lasted 1 minute and 38 seconds and then it ended.

Somewhere in that time I lost internet and e-mail.
CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
When you start the VPN, ping your VPN gateway and monitor that in conjunction with the VPN.

3% isn't bad but it isn't all that great, either.  

Author

Commented:
This is the Log with the duel tunnel as instructed
VPN2.log
CERTIFIED EXPERT
Most Valuable Expert 2015
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
best answer
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.