awilderbeast
asked on
cisco remote access vpn, increase disconnect time (after period of inactivity)
hi all,
cisco 877
i have a user that uses the remtoe access vpn alot and shes telling me if she leaves it for a while she gets disconnected (approx 15 minutes) and she doesnt want to as when she tries to log back in she gets an ip conflict and has to reboot to get on again (something to do with vpn client?)
so ive looked through my config and i dont see where the disconnect time is set it any and where it can be increased or even if it exists, could be something else why it drops? i dont know
anyone shed any light for me? (config below) thanks
cisco 877
i have a user that uses the remtoe access vpn alot and shes telling me if she leaves it for a while she gets disconnected (approx 15 minutes) and she doesnt want to as when she tries to log back in she gets an ip conflict and has to reboot to get on again (something to do with vpn client?)
so ive looked through my config and i dont see where the disconnect time is set it any and where it can be increased or even if it exists, could be something else why it drops? i dont know
anyone shed any light for me? (config below) thanks
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CWCH
!
boot-start-marker
boot-end-marker
!
logging buffered 8192
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login NO_LOGIN none
aaa authentication login admin local
aaa authentication login RA_AUTH group radius local
aaa authorization network RA_CWORKS local
!
!
aaa session-id common
!
!
dot11 syslog
ip cef
!
!
ip dhcp smart-relay
no ip dhcp relay information check
!
!
ip domain name local
ip name-server 192.168.101.1
ip dhcp-server 192.168.101.1
login block-for 180 attempts 5 within 60
login delay 2
login quiet-mode access-class QUIETMODE
login on-failure log every 3
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 15
encr 3des
authentication pre-share
crypto isakmp key address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 4
crypto isakmp nat keepalive 30
!
crypto isakmp client configuration group RA_CWORKS
key
dns 192.168.101.1
domain local
pool vpnclient
crypto isakmp profile VPNclient
match identity group RA_CWORKS
client authentication list RA_AUTH
isakmp authorization list RA_CWORKS
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set DMVPN_SET esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set DMVPN_SET
!
!
crypto dynamic-map VPN 5
set transform-set DMVPN_SET
set isakmp-profile VPNclient
reverse-route
!
!
crypto map VPN 1 ipsec-isakmp dynamic VPN
!
archive
log config
hidekeys
!
!
ip ssh version 2
!
!
!
interface Loopback0
ip address 192.168.250.1 255.255.255.0
!
interface Tunnel1
ip address 192.168.100.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip nhrp holdtime 450
ip tcp adjust-mss 1360
no ip split-horizon eigrp 100
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile DMVPN
!
interface ATM0
description PPP DIALER TO KAROO
no ip address
no atm ilmi-keepalive
pvc 1/50
dialer pool-member 1
protocol ppp dialer
!
dsl operating-mode auto
!
interface FastEthernet0
description Suite 1 WLAN
!
interface FastEthernet1
description Suite 2 WLAN
switchport access vlan 2
!
interface FastEthernet2
description Suite 2 LAN
switchport access vlan 101
!
interface FastEthernet3
description Suite 2 Firewall
switchport access vlan 201
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile DMVPN
!
interface Vlan1
ip address 192.168.11.254 255.255.255.0
ip helper-address 192.168.101.1
ip nat inside
ip virtual-reassembly
!
interface Vlan101
ip address 192.168.101.254 255.255.255.0
ip helper-address 192.168.101.1
ip nat inside
ip virtual-reassembly
!
interface Vlan2
ip address 192.168.12.254 255.255.255.0
ip helper-address 192.168.101.1
ip nat inside
ip virtual-reassembly
!
interface Vlan201
ip address 192.168.201.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer1
ip address negotiated
ip access-group REMOTE_OP in
ip nat outside
ip virtual-reassembly
encapsulation ppp
load-interval 30
dialer pool 1
no cdp enable
ppp chap hostname
ppp chap password
crypto map VPN
!
router eigrp 100
redistribute static
network 192.168.11.0
network 192.168.12.0
network 192.168.100.0
network 192.168.101.0
no auto-summary
!
ip local pool vpnclient 192.168.250.2 192.168.250.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list EXTERNAL_ACCESS interface Dialer1 overload
ip nat inside source static tcp 192.168.11.99 54321 interface Dialer1 54321
ip nat inside source static tcp 192.168.201.1 80 interface Dialer1 80
ip nat inside source static tcp 192.168.201.1 3306 interface Dialer1 3306
ip nat inside source static tcp 192.168.201.1 25 interface Dialer1 25
ip nat inside source static tcp 192.168.201.1 443 interface Dialer1 443
!
ip access-list extended EXTERNAL_ACCESS
permit tcp any any eq smtp
permit tcp any any eq 443
permit ip 192.168.11.0 0.0.0.255 any
permit ip 192.168.12.0 0.0.0.255 any
permit ip 192.168.101.0 0.0.0.255 any
permit ip 192.168.201.0 0.0.0.255 any
permit ip 192.168.250.0 0.0.0.255 any
deny ip any any
ip access-list extended REMOTE_OP
permit tcp 192.168.11.0 0.0.0.255 any eq 22
permit tcp 192.168.12.0 0.0.0.255 any eq 22
permit tcp 192.168.101.0 0.0.0.255 any eq 22
permit tcp 192.168.102.0 0.0.0.255 any eq 22
permit tcp 192.168.103.0 0.0.0.255 any eq 22
permit tcp 192.168.104.0 0.0.0.255 any eq 22
permit tcp 172.30.1.0 0.0.0.255 any eq 22
permit tcp 172.30.2.0 0.0.0.255 any eq 22
permit tcp 192.168.250.0 0.0.0.255 any eq 22
deny tcp any any eq 22
deny tcp any host 192.168.101.254 eq telnet
deny tcp any host 192.168.200.254 eq telnet
permit ip any any
!
no cdp run
!
!
!
radius-server host 192.168.101.10 auth-port 1812 acct-port 1813 key
!
control-plane
!
banner motd
################################# WARNING!#################################
Access to this device is for authorized users only. Unauthorized access is
strictly prohibted! Unauothorized users will be prosecuted!
###########################################################################
!
I would check how the laptop is being operated first first. ie LAN adapter could be going into sleep mode if running on battery.
It's this line: crypto isakmp keepalive 10 4, but I can't remember what it needs to be changed to.
as you are using RADIUS for authentication, have youh checked on your RADIUS server to see if a timeout has been set there ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
crypto ipsec security-association idle-time 86400
that should do it then, 24 hours before it drops now, ill let you know if its still failing the user
Thanks
that should do it then, 24 hours before it drops now, ill let you know if its still failing the user
Thanks