ASA VPN Cisco mobile issues

Posted on 2011-10-20
Last Modified: 2012-05-12
hello all,

we currently allow iPhone 4 devices to remote VPN connect in to our network using Cisco IPSEC VPN client. When connected, the phones connect to Cisco call manager using SIP connection and can be used to make VOIP calls on the network.

The VPN termination device is a Cisco ASA 5510 firewall and has an installed IPS module.

we have this strange issue where by the iPhone will connect to call manager 1 minute, and then won't connect again 2 minutes later if you disconnect. The VPN connection itself is fine - it always connects. it's just the connection to call manager that only works when it wants to.

i have checked the IPS logs and can't see anything being blocked by a signature or anything like that.

has anyone else had this problem?
Question by:L-Plate
    LVL 1

    Accepted Solution


    If VPN is connecting without problems I believe you can confirm that on the group policy you have the following setting: "vpn-tunnel-protocol IPSec"

    In this case it could be a nat issue which I was experiencing as well. Try to give on global configuration this command:
    crypto isakmp nat-traversal 20

    Which is basically enabling IPSec over NAT-T with a keepalive of 20 seconds.


    Author Comment

    hi Vibekeh,

    thanks for your reply.

    IPSEC over NAT-T is enabled on the IPSEC connection profile.

    the strange thing about the issue, is that sometimes the Cisco mobile app connects, and sometimes it doesn't. VPN ALWAYS connects, and you can even send a successful ping from the iphone to the call manager server, but as i said, sometimes it doesn't register in call manager.

    very odd issue IMO.

    I have just created a VPN remote access profile for the iphones on an alternative VPN termination device. it's actually a VPN concentrator 3000 series. all seems to be working really well through this, so i might just role with this from now on.

    so it seems that using iphones on VPN with Cisco mobile app works more reliably through VPN concentrator than on ASA. That's my opinion anyway.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Suggested Solutions

    As dyndns has reduced the capabilities of the free service, I looked around for other free providers of Dynamic DNS service. After testing several I decided to move my DNS hosting to Hurricane Electric as then domains that require dynamic hostnam…
    I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now