We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!
Solved
Cisco IPSec VPN Client Session gets disconnected at randon times from remote ASA5505
Posted on 2011-03-08
We have a number of users connecting / terminatiing Cisco IPSec VPN Client sessions onto a Cisco ASA5505 appliance.
The users are using a variation of Client OS, XP, Vista etc and different versions of the Cisco IPSec VPN Client. What is ahppening is, the clients are getting disconnected from the ASA at randon, sometimes after 5 minutes, 15 minutes even 7 hours. The logs off the Cisco VPN Client show the below,
Cisco Systems VPN Client Version 5.0.05.0290
Copyright (C) 1998-2009 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7600
7 10:08:25.162 03/08/11 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=10.4.9.189, error 0
8 10:08:26.176 03/08/11 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=10.4.9.189, error 0
9 10:08:27.190 03/08/11 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=10.4.9.189, error 0
10 10:08:28.204 03/08/11 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=10.4.9.189, error 0
11 10:08:29.218 03/08/11 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=10.4.9.189, error 0
12 10:08:30.232 03/08/11 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
13 10:08:31.043 03/08/11 Sev=Warning/2 IKE/0xA3000067
Received an IPC message during invalid state (IKE_MAIN:512)
Any feedback would be great...
The users are using a variation of Client OS, XP, Vista etc and different versions of the Cisco IPSec VPN Client. What is ahppening is, the clients are getting disconnected from the ASA at randon, sometimes after 5 minutes, 15 minutes even 7 hours. The logs off the Cisco VPN Client show the below,
Cisco Systems VPN Client Version 5.0.05.0290
Copyright (C) 1998-2009 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7600
7 10:08:25.162 03/08/11 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=10.4.9.189, error 0
8 10:08:26.176 03/08/11 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=10.4.9.189, error 0
9 10:08:27.190 03/08/11 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=10.4.9.189, error 0
10 10:08:28.204 03/08/11 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=10.4.9.189, error 0
11 10:08:29.218 03/08/11 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=10.4.9.189, error 0
12 10:08:30.232 03/08/11 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
13 10:08:31.043 03/08/11 Sev=Warning/2 IKE/0xA3000067
Received an IPC message during invalid state (IKE_MAIN:512)
Any feedback would be great...
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
2
3 Comments
The problem might be with the IP pool assignment either through ASA, Radius server, DHCP server etc.
Use the debug crypto command in order to verify that the netmask and IP addresses are correct. Also, verify that the pool does not include the network address and the broadcast address.
Use the debug crypto command in order to verify that the netmask and IP addresses are correct. Also, verify that the pool does not include the network address and the broadcast address.
Hi, thanks for the information. That's a very good point. However, just to let everyone know. I found out what the problem was. It was a setting on the ASA itself. You have to enable nat traversal for VPN traffic as the ASA needs to know that the incomming packets have already been natted. For example,
crypto isakmp nat-traversal
This did the trick. Prior to this client IPSec VPN sessions were getting timed out at random even after 7 hours or so. The client software versions varied and were Cisco/Non Cisco ones.
Hope that helps :)
crypto isakmp nat-traversal
This did the trick. Prior to this client IPSec VPN sessions were getting timed out at random even after 7 hours or so. The client software versions varied and were Cisco/Non Cisco ones.
Hope that helps :)
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Considering cloud tradeoffs and determining the right mix for your organization.
Both in life and business – not all partnerships are created equal.
As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:
• Key questions to ask when considering a partnership to accelerate your business into the cloud
• Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month11 days, 15 hours left to enroll
636 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.