Cisco IPSEC vpn timeout??

We have overseas developers connecting to our network via a IPSEC VPN.  For the most part everything works, but periodically, they say they cant connect...  This usually happens in their morning, or at 6am EST our time.

There using this VPN client

Cisco Systems VPN Client Version
Copyright (C) 1998-2009 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2

Open in new window

These lines are repeated over and over in their VPN client log file

61     16:41:51.068  04/04/11  Sev=Warning/2	IKE/0xE3000023
No private IP address was assigned by the peer

62     16:41:51.068  04/04/11  Sev=Warning/2	IKE/0xE300009B
Failed to process ModeCfg Reply (NavigatorTM:175)

Open in new window

Our router is a Cisco 1841 - IOS 12.4(24)T2
Now, CPU usage is 6% memory usage is 15%

These are the lines in the running-config the appear to relate to the vpn

crypto ipsec transform-set common-set esp-aes esp-sha-hmac 
crypto ipsec transform-set CDNET esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac 
crypto ipsec profile SDM_Profile1
 set security-association idle-time 10800
 set transform-set common-set 
 set isakmp-profile sdm-ike-profile-2
crypto ipsec profile SDM_Profile2
 set security-association idle-time 10800
 set transform-set CDNET 
 set isakmp-profile sdm-ike-profile-3
crypto ipsec profile SDM_Profile6
 set security-association idle-time 14400
 set transform-set ESP-3DES-SHA3 
 set isakmp-profile sdm-ike-profile-7
crypto ctcp port 10000 

Open in new window

I see this message appearing in the syslog file:

decaps:rec'd IPSEC packet has invalid spi for dest address-x.x.x.x, prot=50, spi=0x0FFAAAAAA(xxxxxxxxx) srcaddr=y.y.y.y.y 

Open in new window

I've asked them to do a tracert at the same time. Today, I see that one hop away from us there was a router reporting 1850ms delay.

We had a consultant setup the router for us.  We're not network guys but do know enough to telnet into the router and make some changes.

Question: Im wondering if there are any settings i can change on the vpn that would make if more tolerant to timeouts?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

cdesk458Author Commented:
We found more more fact today,  it appears that we can NOT  have more than 5 vpn users connected at one time.  Is this a hard-coded limit in our cisco router?
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Î could not find any explicit restriction on the number of simultanous VPN tunnels.
The first message of the VPN Client log lets me assume you do not have enough IP addresses on your Cisco router. Look in the config for a line starting
      ip local pool
and check if there are more than 5 addresses in that range provided.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Steve JenningsSr Manager Cloud Networking OpsCommented:
Agree with Qlemo . . . check to make sure you have a sufficient range of IP addresses in the pool.

Good luck,
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

cdesk458Author Commented:
Few issues:

1) There are two VPN gropus xxxx-External  and dmz-080110 that share the same pool  SDM_POOL_2.  Is that a problem?  There are 20 addresses in that pool..

2) No one is using SDM_POOL_1 which overlaps with SDM_POOL_2

ip local pool SDM_POOL_3
ip local pool SDM_POOL_4
ip local pool SDM_POOL_1
ip local pool SDM_POOL_2

crypto isakmp client configuration group xxxx-External
 pool SDM_POOL_2
 acl 104
 banner ^CYou are now Connected to xxxx network with limited Access

crypto isakmp client configuration group dmz-080110
 key 6 xxxxx
 pool SDM_POOL_2
 acl 104
 banner ^CConnected to xxxx DMZ - Temporary Certificate ^C

Open in new window

Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Sharing the same pool is relevant if that leads to exhausting the available IP addresses. I see no reason why you should not expand that pool, and that is the first action I would take.

BTW, it is a completely different subnet (10.2.x) from the others (10.1.x) - no overlap at all.
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.