Cisco VPN client problems

Discussion in 'Cisco' started by mcaissie, Sep 1, 2004.

  1. mcaissie

    mcaissie Guest

    Hi,

    i have problems with a PIX 506 and the Cisco VPN client.

    Basically , users running the cisco vpn client get disconnected and
    eventually can't connect anynore.

    The clients traverse a PIX 515 ( ipsec over udp)


    ***vpnclient-------PIX515(allow udp4500)------PIX506(running isakmp
    nat-traversal)***

    The connection works , but some users gets disconnected even if they are
    not idle.


    PIX506
    vpngroup level4user address-pool level4
    vpngroup level4user dns-server DNSSRV1
    vpngroup level4user default-domain bozo.com
    vpngroup level4user split-tunnel level4split
    vpngroup level4user idle-time 3600
    vpngroup level4user password ********

    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400


    I was suspecting a licence problem , so i transfered a couple of users on
    another PIX
    with a similar config except for the ip local pool , but they get the same
    problem.
    And in some case they cannot connect anymore , i have to clear cry isakmp
    sa

    For example,

    i am now no able to connect

    sh cry ipsec sa on PIX506 shows

    a.b.c.31 x.y.z.126 QM_IDLE 0 1
    a.b.c.31 x.y.z.126 QM_IDLE 0 1
    a.b.c.31 x.y.z.126 QM_IDLE 0 3
    a.b.c.31 x.y.z.126 QM_IDLE 0 1
    a.b.c.31 x.y.z.126 QM_IDLE 0 2
    a.b.c.31 x.y.z.126 QM_IDLE 0 1
    a.b.c.31 x.y.z.126 QM_IDLE 0 1
    a.b.c.31 x.y.z.126 QM_IDLE 0 3
    a.b.c.31 x.y.z.126 QM_IDLE 0 1
    a.b.c.31 x.y.z.106 QM_IDLE 0 1
    a.b.c.31 x.y.z.71 QM_IDLE 0 1
    a.b.c.31 x.y.z.71 QM_IDLE 0 1
    a.b.c.31 x.y.z.71 QM_IDLE 0 1
    a.b.c.31 x.y.z.71 QM_IDLE 0 1
    a.b.c.31 x.y.z.90 QM_IDLE 0 1

    x.y.z.126 is the PAT address of the PIX 515 so it's normal to have more
    than one.

    x.y.z.71 is my NAT translation in the PIX515 ( i got an ip from the NAT
    pool before it got full).
    As you can see there is 4 sa establish with that IP . It's because everytime
    i get disconnected
    the PIX keeps the sa for the idle period ( 1 hour ) . But in the mean time
    i can't connect, without
    doing a clear cry isakmp sa ( and disconnecting everyone )

    Log on the client shows
    Discarding IKE SA negotiation (I_Cookie=EA55B9C8507147AB
    R_Cookie=6C39B990E77697B8) reason = DEL_REASON_RESET_SADB

    any hints,

    thanks
     
    mcaissie, Sep 1, 2004
    #1
    1. Advertising

  2. mcaissie

    PES Guest

    "mcaissie" <> wrote in message
    news:2WlZc.84519$X12.76995@edtnps84...
    > Hi,
    >
    > i have problems with a PIX 506 and the Cisco VPN client.
    >
    > Basically , users running the cisco vpn client get disconnected and
    > eventually can't connect anynore.
    >
    > The clients traverse a PIX 515 ( ipsec over udp)
    >
    >
    > ***vpnclient-------PIX515(allow udp4500)------PIX506(running isakmp
    > nat-traversal)***
    >
    > The connection works , but some users gets disconnected even if they are
    > not idle.
    >
    >
    > PIX506
    > vpngroup level4user address-pool level4
    > vpngroup level4user dns-server DNSSRV1
    > vpngroup level4user default-domain bozo.com
    > vpngroup level4user split-tunnel level4split
    > vpngroup level4user idle-time 3600
    > vpngroup level4user password ********
    >
    > isakmp identity address
    > isakmp nat-traversal 20
    > isakmp policy 20 authentication pre-share
    > isakmp policy 20 encryption 3des
    > isakmp policy 20 hash md5
    > isakmp policy 20 group 2
    > isakmp policy 20 lifetime 86400
    >
    >
    > I was suspecting a licence problem , so i transfered a couple of users on
    > another PIX
    > with a similar config except for the ip local pool , but they get the
    > same
    > problem.
    > And in some case they cannot connect anymore , i have to clear cry isakmp
    > sa
    >
    > For example,
    >
    > i am now no able to connect
    >
    > sh cry ipsec sa on PIX506 shows
    >
    > a.b.c.31 x.y.z.126 QM_IDLE 0 1
    > a.b.c.31 x.y.z.126 QM_IDLE 0 1
    > a.b.c.31 x.y.z.126 QM_IDLE 0 3
    > a.b.c.31 x.y.z.126 QM_IDLE 0 1
    > a.b.c.31 x.y.z.126 QM_IDLE 0 2
    > a.b.c.31 x.y.z.126 QM_IDLE 0 1
    > a.b.c.31 x.y.z.126 QM_IDLE 0 1
    > a.b.c.31 x.y.z.126 QM_IDLE 0 3
    > a.b.c.31 x.y.z.126 QM_IDLE 0 1
    > a.b.c.31 x.y.z.106 QM_IDLE 0 1
    > a.b.c.31 x.y.z.71 QM_IDLE 0 1
    > a.b.c.31 x.y.z.71 QM_IDLE 0 1
    > a.b.c.31 x.y.z.71 QM_IDLE 0 1
    > a.b.c.31 x.y.z.71 QM_IDLE 0 1
    > a.b.c.31 x.y.z.90 QM_IDLE 0 1
    >
    > x.y.z.126 is the PAT address of the PIX 515 so it's normal to have more
    > than one.
    >
    > x.y.z.71 is my NAT translation in the PIX515 ( i got an ip from the NAT
    > pool before it got full).
    > As you can see there is 4 sa establish with that IP . It's because
    > everytime
    > i get disconnected
    > the PIX keeps the sa for the idle period ( 1 hour ) . But in the mean
    > time
    > i can't connect, without
    > doing a clear cry isakmp sa ( and disconnecting everyone )
    >
    > Log on the client shows
    > Discarding IKE SA negotiation (I_Cookie=EA55B9C8507147AB
    > R_Cookie=6C39B990E77697B8) reason = DEL_REASON_RESET_SADB
    >
    > any hints,
    >
    > thanks
    >
    >


    Can you place a sanatized copy of your entire config? I'm particularly
    interested in the ip addresses of your interfaces, the pool, global, nat and
    the acl labeled level4split. I suspect that the isakmp from/to a.b.c.31 <>
    x.y.z.? is being encrypted. This doesn't seem to work. The bigger question
    is why not do a lan to lan tunnel and eliminate the clients?
     
    PES, Sep 2, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. MP
    Replies:
    2
    Views:
    12,436
  2. jarcar
    Replies:
    0
    Views:
    676
    jarcar
    Feb 12, 2004
  3. Nick
    Replies:
    2
    Views:
    2,489
  4. D K
    Replies:
    4
    Views:
    514
  5. Ned
    Replies:
    0
    Views:
    601
Loading...

Share This Page