«

Hi,

Users were not able to get connected to my PIX 515E 6.3 using VPN
client. Upon further investigation I found that users could initially
connect to the PIX. But if they move out of the wireless range (i.e.
lose their network connectivity) while they are connected to the PIX,
then they will not be able to get connected back to pix.

I changed the idle-time for the vpn profile from 3 hours and reduced it
to 3 minutes. Still the session time out does not work and I could see
multiple entires for the user while giving
"sh isakmp sa".

I searched the group for similar problems but could not find any.
Have anyone of you faced a similar problem. Does any solution come
into your mind ?

Thanks,
Chery

In article < .com>,
chery <> wrote:

>Users were not able to get connected to my PIX 515E 6.3 using VPN
>client. Upon further investigation I found that users could initially
>connect to the PIX. But if they move out of the wireless range (i.e.
>lose their network connectivity) while they are connected to the PIX,
>then they will not be able to get connected back to pix.

Are you set for isakmp identity hostname or
isakmp identity address

The identity is used when a new phase 1 tunnel has to be
negotiated due to disconnection. The client sends its identity
as part of an ISAKMP clause that means "remove all previous
security associations from this identity". If the identity offered
upon reconnect does not happen to match the identity that was
previously offered, then the previous SA are not going to be
thrown away, and it is going to take time before the PIX figures
out that it should no longer bother to match against those particular
ACL entries associated with the SAs.