Solved

cisco remote access vpn, increase disconnect time (after period of inactivity)

Posted on 2010-09-10
5
620 Views
Last Modified: 2012-05-10
hi all,

cisco 877

i have a user that uses the remtoe access vpn alot and shes telling me if she leaves it for a while she gets disconnected (approx 15 minutes) and she doesnt want to as when she tries to log back in she gets an ip conflict and has to reboot to get on again (something to do with vpn client?)

so ive looked through my config and i dont see where the disconnect time is set it any and where it can be increased or even if it exists, could be something else why it drops? i dont know

anyone shed any light for me? (config below) thanks
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CWCH
!
boot-start-marker
boot-end-marker
!
logging buffered 8192
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login NO_LOGIN none
aaa authentication login admin local
aaa authentication login RA_AUTH group radius local
aaa authorization network RA_CWORKS local 
!
!
aaa session-id common
!
!
dot11 syslog
ip cef
!
!
ip dhcp smart-relay
no ip dhcp relay information check
!
!
ip domain name local
ip name-server 192.168.101.1
ip dhcp-server 192.168.101.1
login block-for 180 attempts 5 within 60
login delay 2
login quiet-mode access-class QUIETMODE
login on-failure log every 3
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 
! 
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 15
 encr 3des
 authentication pre-share
crypto isakmp key address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 4
crypto isakmp nat keepalive 30
!
crypto isakmp client configuration group RA_CWORKS
 key 
 dns 192.168.101.1
 domain local
 pool vpnclient
crypto isakmp profile VPNclient
   match identity group RA_CWORKS
   client authentication list RA_AUTH
   isakmp authorization list RA_CWORKS
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set DMVPN_SET esp-3des esp-sha-hmac 
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set DMVPN_SET 
!
!
crypto dynamic-map VPN 5
 set transform-set DMVPN_SET 
 set isakmp-profile VPNclient
 reverse-route
!
!
crypto map VPN 1 ipsec-isakmp dynamic VPN 
!
archive
 log config
  hidekeys
!
!
ip ssh version 2
!
!
!
interface Loopback0
 ip address 192.168.250.1 255.255.255.0
!
interface Tunnel1
 ip address 192.168.100.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication 
 ip nhrp map multicast dynamic
 ip nhrp network-id 100
 ip nhrp holdtime 450
 ip tcp adjust-mss 1360
 no ip split-horizon eigrp 100
 tunnel source Dialer1
 tunnel mode gre multipoint
 tunnel key 100
 tunnel protection ipsec profile DMVPN
!
interface ATM0
 description PPP DIALER TO KAROO
 no ip address
 no atm ilmi-keepalive
 pvc 1/50 
  dialer pool-member 1
  protocol ppp dialer
 !
 dsl operating-mode auto 
!
interface FastEthernet0
 description Suite 1 WLAN
!
interface FastEthernet1
 description Suite 2 WLAN
 switchport access vlan 2
!
interface FastEthernet2
 description Suite 2 LAN
 switchport access vlan 101
!
interface FastEthernet3
 description Suite 2 Firewall
 switchport access vlan 201
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile DMVPN
!
interface Vlan1
 ip address 192.168.11.254 255.255.255.0
 ip helper-address 192.168.101.1
 ip nat inside
 ip virtual-reassembly
!
interface Vlan101
 ip address 192.168.101.254 255.255.255.0
 ip helper-address 192.168.101.1
 ip nat inside
 ip virtual-reassembly
!
interface Vlan2
 ip address 192.168.12.254 255.255.255.0
 ip helper-address 192.168.101.1
 ip nat inside
 ip virtual-reassembly
!
interface Vlan201
 ip address 192.168.201.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Dialer1
 ip address negotiated
 ip access-group REMOTE_OP in
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 load-interval 30
 dialer pool 1
 no cdp enable
 ppp chap hostname 
 ppp chap password 
 crypto map VPN
!
router eigrp 100
 redistribute static
 network 192.168.11.0
 network 192.168.12.0
 network 192.168.100.0
 network 192.168.101.0
 no auto-summary
!
ip local pool vpnclient 192.168.250.2 192.168.250.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list EXTERNAL_ACCESS interface Dialer1 overload
ip nat inside source static tcp 192.168.11.99 54321 interface Dialer1 54321
ip nat inside source static tcp 192.168.201.1 80 interface Dialer1 80
ip nat inside source static tcp 192.168.201.1 3306 interface Dialer1 3306
ip nat inside source static tcp 192.168.201.1 25 interface Dialer1 25
ip nat inside source static tcp 192.168.201.1 443 interface Dialer1 443
!
ip access-list extended EXTERNAL_ACCESS
 permit tcp any any eq smtp
 permit tcp any any eq 443
 permit ip 192.168.11.0 0.0.0.255 any
 permit ip 192.168.12.0 0.0.0.255 any
 permit ip 192.168.101.0 0.0.0.255 any
 permit ip 192.168.201.0 0.0.0.255 any
 permit ip 192.168.250.0 0.0.0.255 any
 deny   ip any any
ip access-list extended REMOTE_OP
 permit tcp 192.168.11.0 0.0.0.255 any eq 22
 permit tcp 192.168.12.0 0.0.0.255 any eq 22
 permit tcp 192.168.101.0 0.0.0.255 any eq 22
 permit tcp 192.168.102.0 0.0.0.255 any eq 22
 permit tcp 192.168.103.0 0.0.0.255 any eq 22
 permit tcp 192.168.104.0 0.0.0.255 any eq 22
 permit tcp 172.30.1.0 0.0.0.255 any eq 22
 permit tcp 172.30.2.0 0.0.0.255 any eq 22
 permit tcp 192.168.250.0 0.0.0.255 any eq 22
 deny   tcp any any eq 22
 deny   tcp any host 192.168.101.254 eq telnet
 deny   tcp any host 192.168.200.254 eq telnet
 permit ip any any
!
no cdp run
!
!
!
radius-server host 192.168.101.10 auth-port 1812 acct-port 1813 key 
!
control-plane
!
banner motd 
################################# WARNING!#################################
          
Access to this device is for authorized users only. Unauthorized access is
strictly prohibted! Unauothorized users will be prosecuted!

###########################################################################

!

Open in new window

0
Comment
Question by:awilderbeast
5 Comments
 
LVL 7

Expert Comment

by:Anglo
ID: 33644429
I would check how the laptop is being operated first first.   ie LAN adapter could be going into sleep mode if running on battery.
0
 
LVL 6

Expert Comment

by:stavros41
ID: 33644473
It's this line: crypto isakmp keepalive 10 4, but I can't remember what it needs to be changed to.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 33644500
as you are using RADIUS for authentication, have youh checked on your RADIUS server to see if a timeout has been set there ?
0
 
LVL 37

Accepted Solution

by:
ArneLovius earned 500 total points
ID: 33644535
from here http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution13

If the idle timeout is set to 30 minutes (default), it means that it drops the tunnel after 30 minutes of no traffic passes through it. The VPN client gets disconnected after 30 minutes regardless of the setting of idle timeout and encounters the PEER_DELETE-IKE_DELETE_UNSPECIFIED error.
0
 
LVL 1

Author Closing Comment

by:awilderbeast
ID: 33644614
crypto ipsec security-association idle-time 86400

that should do it then, 24 hours before it drops now, ill let you know if its still failing the user

Thanks
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question