Solved

cisco remote access vpn, increase disconnect time (after period of inactivity)

Posted on 2010-09-10
5
617 Views
Last Modified: 2012-05-10
hi all,

cisco 877

i have a user that uses the remtoe access vpn alot and shes telling me if she leaves it for a while she gets disconnected (approx 15 minutes) and she doesnt want to as when she tries to log back in she gets an ip conflict and has to reboot to get on again (something to do with vpn client?)

so ive looked through my config and i dont see where the disconnect time is set it any and where it can be increased or even if it exists, could be something else why it drops? i dont know

anyone shed any light for me? (config below) thanks
!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname CWCH

!

boot-start-marker

boot-end-marker

!

logging buffered 8192

enable secret 5

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login NO_LOGIN none

aaa authentication login admin local

aaa authentication login RA_AUTH group radius local

aaa authorization network RA_CWORKS local 

!

!

aaa session-id common

!

!

dot11 syslog

ip cef

!

!

ip dhcp smart-relay

no ip dhcp relay information check

!

!

ip domain name local

ip name-server 192.168.101.1

ip dhcp-server 192.168.101.1

login block-for 180 attempts 5 within 60

login delay 2

login quiet-mode access-class QUIETMODE

login on-failure log every 3

!

multilink bundle-name authenticated

!

!

username admin privilege 15 secret 

! 

!

crypto isakmp policy 10

 encr 3des

 authentication pre-share

 group 2

!

crypto isakmp policy 15

 encr 3des

 authentication pre-share

crypto isakmp key address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 10 4

crypto isakmp nat keepalive 30

!

crypto isakmp client configuration group RA_CWORKS

 key 

 dns 192.168.101.1

 domain local

 pool vpnclient

crypto isakmp profile VPNclient

   match identity group RA_CWORKS

   client authentication list RA_AUTH

   isakmp authorization list RA_CWORKS

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set DMVPN_SET esp-3des esp-sha-hmac 

 mode transport

!

crypto ipsec profile DMVPN

 set transform-set DMVPN_SET 

!

!

crypto dynamic-map VPN 5

 set transform-set DMVPN_SET 

 set isakmp-profile VPNclient

 reverse-route

!

!

crypto map VPN 1 ipsec-isakmp dynamic VPN 

!

archive

 log config

  hidekeys

!

!

ip ssh version 2

!

!

!

interface Loopback0

 ip address 192.168.250.1 255.255.255.0

!

interface Tunnel1

 ip address 192.168.100.1 255.255.255.0

 no ip redirects

 ip mtu 1400

 ip nhrp authentication 

 ip nhrp map multicast dynamic

 ip nhrp network-id 100

 ip nhrp holdtime 450

 ip tcp adjust-mss 1360

 no ip split-horizon eigrp 100

 tunnel source Dialer1

 tunnel mode gre multipoint

 tunnel key 100

 tunnel protection ipsec profile DMVPN

!

interface ATM0

 description PPP DIALER TO KAROO

 no ip address

 no atm ilmi-keepalive

 pvc 1/50 

  dialer pool-member 1

  protocol ppp dialer

 !

 dsl operating-mode auto 

!

interface FastEthernet0

 description Suite 1 WLAN

!

interface FastEthernet1

 description Suite 2 WLAN

 switchport access vlan 2

!

interface FastEthernet2

 description Suite 2 LAN

 switchport access vlan 101

!

interface FastEthernet3

 description Suite 2 Firewall

 switchport access vlan 201

!

interface Virtual-Template1 type tunnel

 ip unnumbered Loopback0

 tunnel mode ipsec ipv4

 tunnel protection ipsec profile DMVPN

!

interface Vlan1

 ip address 192.168.11.254 255.255.255.0

 ip helper-address 192.168.101.1

 ip nat inside

 ip virtual-reassembly

!

interface Vlan101

 ip address 192.168.101.254 255.255.255.0

 ip helper-address 192.168.101.1

 ip nat inside

 ip virtual-reassembly

!

interface Vlan2

 ip address 192.168.12.254 255.255.255.0

 ip helper-address 192.168.101.1

 ip nat inside

 ip virtual-reassembly

!

interface Vlan201

 ip address 192.168.201.254 255.255.255.0

 ip nat inside

 ip virtual-reassembly

!

interface Dialer1

 ip address negotiated

 ip access-group REMOTE_OP in

 ip nat outside

 ip virtual-reassembly

 encapsulation ppp

 load-interval 30

 dialer pool 1

 no cdp enable

 ppp chap hostname 

 ppp chap password 

 crypto map VPN

!

router eigrp 100

 redistribute static

 network 192.168.11.0

 network 192.168.12.0

 network 192.168.100.0

 network 192.168.101.0

 no auto-summary

!

ip local pool vpnclient 192.168.250.2 192.168.250.10

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

!

!

no ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list EXTERNAL_ACCESS interface Dialer1 overload

ip nat inside source static tcp 192.168.11.99 54321 interface Dialer1 54321

ip nat inside source static tcp 192.168.201.1 80 interface Dialer1 80

ip nat inside source static tcp 192.168.201.1 3306 interface Dialer1 3306

ip nat inside source static tcp 192.168.201.1 25 interface Dialer1 25

ip nat inside source static tcp 192.168.201.1 443 interface Dialer1 443

!

ip access-list extended EXTERNAL_ACCESS

 permit tcp any any eq smtp

 permit tcp any any eq 443

 permit ip 192.168.11.0 0.0.0.255 any

 permit ip 192.168.12.0 0.0.0.255 any

 permit ip 192.168.101.0 0.0.0.255 any

 permit ip 192.168.201.0 0.0.0.255 any

 permit ip 192.168.250.0 0.0.0.255 any

 deny   ip any any

ip access-list extended REMOTE_OP

 permit tcp 192.168.11.0 0.0.0.255 any eq 22

 permit tcp 192.168.12.0 0.0.0.255 any eq 22

 permit tcp 192.168.101.0 0.0.0.255 any eq 22

 permit tcp 192.168.102.0 0.0.0.255 any eq 22

 permit tcp 192.168.103.0 0.0.0.255 any eq 22

 permit tcp 192.168.104.0 0.0.0.255 any eq 22

 permit tcp 172.30.1.0 0.0.0.255 any eq 22

 permit tcp 172.30.2.0 0.0.0.255 any eq 22

 permit tcp 192.168.250.0 0.0.0.255 any eq 22

 deny   tcp any any eq 22

 deny   tcp any host 192.168.101.254 eq telnet

 deny   tcp any host 192.168.200.254 eq telnet

 permit ip any any

!

no cdp run

!

!

!

radius-server host 192.168.101.10 auth-port 1812 acct-port 1813 key 

!

control-plane

!

banner motd 

################################# WARNING!#################################

          

Access to this device is for authorized users only. Unauthorized access is

strictly prohibted! Unauothorized users will be prosecuted!



###########################################################################



!

Open in new window

0
Comment
Question by:awilderbeast
5 Comments
 
LVL 7

Expert Comment

by:Anglo
ID: 33644429
I would check how the laptop is being operated first first.   ie LAN adapter could be going into sleep mode if running on battery.
0
 
LVL 6

Expert Comment

by:stavros41
ID: 33644473
It's this line: crypto isakmp keepalive 10 4, but I can't remember what it needs to be changed to.
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 33644500
as you are using RADIUS for authentication, have youh checked on your RADIUS server to see if a timeout has been set there ?
0
 
LVL 36

Accepted Solution

by:
ArneLovius earned 500 total points
ID: 33644535
from here http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution13

If the idle timeout is set to 30 minutes (default), it means that it drops the tunnel after 30 minutes of no traffic passes through it. The VPN client gets disconnected after 30 minutes regardless of the setting of idle timeout and encounters the PEER_DELETE-IKE_DELETE_UNSPECIFIED error.
0
 
LVL 1

Author Closing Comment

by:awilderbeast
ID: 33644614
crypto ipsec security-association idle-time 86400

that should do it then, 24 hours before it drops now, ill let you know if its still failing the user

Thanks
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Join & Write a Comment

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now