Link to home
Start Free TrialLog in
Avatar of awilderbeast
awilderbeastFlag for United Kingdom of Great Britain and Northern Ireland

asked on

cisco remote access vpn, increase disconnect time (after period of inactivity)

hi all,

cisco 877

i have a user that uses the remtoe access vpn alot and shes telling me if she leaves it for a while she gets disconnected (approx 15 minutes) and she doesnt want to as when she tries to log back in she gets an ip conflict and has to reboot to get on again (something to do with vpn client?)

so ive looked through my config and i dont see where the disconnect time is set it any and where it can be increased or even if it exists, could be something else why it drops? i dont know

anyone shed any light for me? (config below) thanks
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CWCH
!
boot-start-marker
boot-end-marker
!
logging buffered 8192
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login NO_LOGIN none
aaa authentication login admin local
aaa authentication login RA_AUTH group radius local
aaa authorization network RA_CWORKS local 
!
!
aaa session-id common
!
!
dot11 syslog
ip cef
!
!
ip dhcp smart-relay
no ip dhcp relay information check
!
!
ip domain name local
ip name-server 192.168.101.1
ip dhcp-server 192.168.101.1
login block-for 180 attempts 5 within 60
login delay 2
login quiet-mode access-class QUIETMODE
login on-failure log every 3
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 
! 
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 15
 encr 3des
 authentication pre-share
crypto isakmp key address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 4
crypto isakmp nat keepalive 30
!
crypto isakmp client configuration group RA_CWORKS
 key 
 dns 192.168.101.1
 domain local
 pool vpnclient
crypto isakmp profile VPNclient
   match identity group RA_CWORKS
   client authentication list RA_AUTH
   isakmp authorization list RA_CWORKS
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set DMVPN_SET esp-3des esp-sha-hmac 
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set DMVPN_SET 
!
!
crypto dynamic-map VPN 5
 set transform-set DMVPN_SET 
 set isakmp-profile VPNclient
 reverse-route
!
!
crypto map VPN 1 ipsec-isakmp dynamic VPN 
!
archive
 log config
  hidekeys
!
!
ip ssh version 2
!
!
!
interface Loopback0
 ip address 192.168.250.1 255.255.255.0
!
interface Tunnel1
 ip address 192.168.100.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication 
 ip nhrp map multicast dynamic
 ip nhrp network-id 100
 ip nhrp holdtime 450
 ip tcp adjust-mss 1360
 no ip split-horizon eigrp 100
 tunnel source Dialer1
 tunnel mode gre multipoint
 tunnel key 100
 tunnel protection ipsec profile DMVPN
!
interface ATM0
 description PPP DIALER TO KAROO
 no ip address
 no atm ilmi-keepalive
 pvc 1/50 
  dialer pool-member 1
  protocol ppp dialer
 !
 dsl operating-mode auto 
!
interface FastEthernet0
 description Suite 1 WLAN
!
interface FastEthernet1
 description Suite 2 WLAN
 switchport access vlan 2
!
interface FastEthernet2
 description Suite 2 LAN
 switchport access vlan 101
!
interface FastEthernet3
 description Suite 2 Firewall
 switchport access vlan 201
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile DMVPN
!
interface Vlan1
 ip address 192.168.11.254 255.255.255.0
 ip helper-address 192.168.101.1
 ip nat inside
 ip virtual-reassembly
!
interface Vlan101
 ip address 192.168.101.254 255.255.255.0
 ip helper-address 192.168.101.1
 ip nat inside
 ip virtual-reassembly
!
interface Vlan2
 ip address 192.168.12.254 255.255.255.0
 ip helper-address 192.168.101.1
 ip nat inside
 ip virtual-reassembly
!
interface Vlan201
 ip address 192.168.201.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Dialer1
 ip address negotiated
 ip access-group REMOTE_OP in
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 load-interval 30
 dialer pool 1
 no cdp enable
 ppp chap hostname 
 ppp chap password 
 crypto map VPN
!
router eigrp 100
 redistribute static
 network 192.168.11.0
 network 192.168.12.0
 network 192.168.100.0
 network 192.168.101.0
 no auto-summary
!
ip local pool vpnclient 192.168.250.2 192.168.250.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list EXTERNAL_ACCESS interface Dialer1 overload
ip nat inside source static tcp 192.168.11.99 54321 interface Dialer1 54321
ip nat inside source static tcp 192.168.201.1 80 interface Dialer1 80
ip nat inside source static tcp 192.168.201.1 3306 interface Dialer1 3306
ip nat inside source static tcp 192.168.201.1 25 interface Dialer1 25
ip nat inside source static tcp 192.168.201.1 443 interface Dialer1 443
!
ip access-list extended EXTERNAL_ACCESS
 permit tcp any any eq smtp
 permit tcp any any eq 443
 permit ip 192.168.11.0 0.0.0.255 any
 permit ip 192.168.12.0 0.0.0.255 any
 permit ip 192.168.101.0 0.0.0.255 any
 permit ip 192.168.201.0 0.0.0.255 any
 permit ip 192.168.250.0 0.0.0.255 any
 deny   ip any any
ip access-list extended REMOTE_OP
 permit tcp 192.168.11.0 0.0.0.255 any eq 22
 permit tcp 192.168.12.0 0.0.0.255 any eq 22
 permit tcp 192.168.101.0 0.0.0.255 any eq 22
 permit tcp 192.168.102.0 0.0.0.255 any eq 22
 permit tcp 192.168.103.0 0.0.0.255 any eq 22
 permit tcp 192.168.104.0 0.0.0.255 any eq 22
 permit tcp 172.30.1.0 0.0.0.255 any eq 22
 permit tcp 172.30.2.0 0.0.0.255 any eq 22
 permit tcp 192.168.250.0 0.0.0.255 any eq 22
 deny   tcp any any eq 22
 deny   tcp any host 192.168.101.254 eq telnet
 deny   tcp any host 192.168.200.254 eq telnet
 permit ip any any
!
no cdp run
!
!
!
radius-server host 192.168.101.10 auth-port 1812 acct-port 1813 key 
!
control-plane
!
banner motd 
################################# WARNING!#################################
          
Access to this device is for authorized users only. Unauthorized access is
strictly prohibted! Unauothorized users will be prosecuted!

###########################################################################

!

Open in new window

Avatar of Anglo
Anglo
Flag of United Kingdom of Great Britain and Northern Ireland image

I would check how the laptop is being operated first first.   ie LAN adapter could be going into sleep mode if running on battery.
It's this line: crypto isakmp keepalive 10 4, but I can't remember what it needs to be changed to.
Avatar of ArneLovius
as you are using RADIUS for authentication, have youh checked on your RADIUS server to see if a timeout has been set there ?
ASKER CERTIFIED SOLUTION
Avatar of ArneLovius
ArneLovius
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of awilderbeast

ASKER

crypto ipsec security-association idle-time 86400

that should do it then, 24 hours before it drops now, ill let you know if its still failing the user

Thanks