Cisco IPSEC vpn timeout??

We have overseas developers connecting to our network via a IPSEC VPN.  For the most part everything works, but periodically, they say they cant connect...  This usually happens in their morning, or at 6am EST our time.

There using this VPN client

Cisco Systems VPN Client Version 5.0.06.0160
Copyright (C) 1998-2009 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2

Open in new window


These lines are repeated over and over in their VPN client log file

61     16:41:51.068  04/04/11  Sev=Warning/2	IKE/0xE3000023
No private IP address was assigned by the peer

62     16:41:51.068  04/04/11  Sev=Warning/2	IKE/0xE300009B
Failed to process ModeCfg Reply (NavigatorTM:175)

Open in new window


Our router is a Cisco 1841 - IOS 12.4(24)T2
Now, CPU usage is 6% memory usage is 15%

These are the lines in the running-config the appear to relate to the vpn

crypto ipsec transform-set common-set esp-aes esp-sha-hmac 
crypto ipsec transform-set CDNET esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac 
!
crypto ipsec profile SDM_Profile1
 set security-association idle-time 10800
 set transform-set common-set 
 set isakmp-profile sdm-ike-profile-2
!
crypto ipsec profile SDM_Profile2
 set security-association idle-time 10800
 set transform-set CDNET 
 set isakmp-profile sdm-ike-profile-3
!
crypto ipsec profile SDM_Profile6
 set security-association idle-time 14400
 set transform-set ESP-3DES-SHA3 
 set isakmp-profile sdm-ike-profile-7
!
!
crypto ctcp port 10000 

Open in new window


I see this message appearing in the syslog file:

decaps:rec'd IPSEC packet has invalid spi for dest address-x.x.x.x, prot=50, spi=0x0FFAAAAAA(xxxxxxxxx) srcaddr=y.y.y.y.y 

Open in new window

I've asked them to do a tracert at the same time. Today, I see that one hop away from us there was a router reporting 1850ms delay.


We had a consultant setup the router for us.  We're not network guys but do know enough to telnet into the router and make some changes.

Question: Im wondering if there are any settings i can change on the vpn that would make if more tolerant to timeouts?
cdesk458Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

cdesk458Author Commented:
We found more more fact today,  it appears that we can NOT  have more than 5 vpn users connected at one time.  Is this a hard-coded limit in our cisco router?
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Î could not find any explicit restriction on the number of simultanous VPN tunnels.
The first message of the VPN Client log lets me assume you do not have enough IP addresses on your Cisco router. Look in the config for a line starting
      ip local pool
and check if there are more than 5 addresses in that range provided.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Steve JenningsIT ManagerCommented:
Agree with Qlemo . . . check to make sure you have a sufficient range of IP addresses in the pool.

Good luck,
SteveJ
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

cdesk458Author Commented:
Few issues:

1) There are two VPN gropus xxxx-External  and dmz-080110 that share the same pool  SDM_POOL_2.  Is that a problem?  There are 20 addresses in that pool..


2) No one is using SDM_POOL_1 which overlaps with SDM_POOL_2



ip local pool SDM_POOL_3 10.1.4.10 10.1.4.219
ip local pool SDM_POOL_4 10.1.4.220 10.1.4.254
ip local pool SDM_POOL_1 10.1.20.230 10.1.20.250
ip local pool SDM_POOL_2 10.2.20.230 10.2.20.250

crypto isakmp client configuration group xxxx-External
 dns 10.2.20.3
 domain dev.xxxx.net
 pool SDM_POOL_2
 acl 104
 include-local-lan
 banner ^CYou are now Connected to xxxx network with limited Access

crypto isakmp client configuration group dmz-080110
 key 6 xxxxx
 dns 10.2.20.3
 domain dev.xxxxx.net
 pool SDM_POOL_2
 acl 104
 banner ^CConnected to xxxx DMZ - Temporary Certificate ^C

Open in new window

0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Sharing the same pool is relevant if that leads to exhausting the available IP addresses. I see no reason why you should not expand that pool, and that is the first action I would take.

BTW, it is a completely different subnet (10.2.x) from the others (10.1.x) - no overlap at all.
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.