Hi,

i have problems with a PIX 506 and the Cisco VPN client.

Basically , users running the cisco vpn client get disconnected and

eventually can't connect anynore.

The clients traverse a PIX 515 ( ipsec over udp)

***vpnclient-------PIX515(allow udp4500)------PIX506(running isakmp

nat-traversal)***

The connection works , but some users gets disconnected even if they are

not idle.

PIX506

vpngroup level4user address-pool level4

vpngroup level4user dns-server DNSSRV1

vpngroup level4user default-domain bozo.com

vpngroup level4user split-tunnel level4split

vpngroup level4user idle-time 3600

vpngroup level4user password ********

isakmp identity address

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

I was suspecting a licence problem , so i transfered a couple of users on

another PIX

with a similar config except for the ip local pool , but they get the same

problem.

And in some case they cannot connect anymore , i have to clear cry isakmp

sa

For example,

i am now no able to connect

sh cry ipsec sa on PIX506 shows

a.b.c.31 x.y.z.126 QM_IDLE 0 1

a.b.c.31 x.y.z.126 QM_IDLE 0 1

a.b.c.31 x.y.z.126 QM_IDLE 0 3

a.b.c.31 x.y.z.126 QM_IDLE 0 1

a.b.c.31 x.y.z.126 QM_IDLE 0 2

a.b.c.31 x.y.z.126 QM_IDLE 0 1

a.b.c.31 x.y.z.126 QM_IDLE 0 1

a.b.c.31 x.y.z.126 QM_IDLE 0 3

a.b.c.31 x.y.z.126 QM_IDLE 0 1

a.b.c.31 x.y.z.106 QM_IDLE 0 1

a.b.c.31 x.y.z.71 QM_IDLE 0 1

a.b.c.31 x.y.z.71 QM_IDLE 0 1

a.b.c.31 x.y.z.71 QM_IDLE 0 1

a.b.c.31 x.y.z.71 QM_IDLE 0 1

a.b.c.31 x.y.z.90 QM_IDLE 0 1

x.y.z.126 is the PAT address of the PIX 515 so it's normal to have more

than one.

x.y.z.71 is my NAT translation in the PIX515 ( i got an ip from the NAT

pool before it got full).

As you can see there is 4 sa establish with that IP . It's because everytime

i get disconnected

the PIX keeps the sa for the idle period ( 1 hour ) . But in the mean time

i can't connect, without

doing a clear cry isakmp sa ( and disconnecting everyone )

Log on the client shows

Discarding IKE SA negotiation (I_Cookie=EA55B9C8507147AB

R_Cookie=6C39B990E77697B

reason = DEL_REASON_RESET_SADB

any hints,

thanks