Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 21 replies
  • Subscribers 1 subscriber
  • Views 22127 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cisco VPN Disconnects after an hour

Rogue Agent
Following the manual for setting up the Cisco VPN client for a remote VPN to the Astaro gateway, I've got my VPN up and working.  However, each time I connect to the VPN my connection will only stay active for an hour.  After and hour it disconnects.  I am running version 4.9.01.0280 of the cisco vpn client on OS X 10.6.7 and ASG v8.102.

I cannot figure out why it is auto disconnecting me on a regular (very) basis.  Anyone seen this before?


This thread was automatically locked due to age.
  • 0
    I am experiencing the same issue with an ASG120. Astaro support has not been helpful, even though I have provided all logs and even remote access. They eventually stopped responding to any of my requests and escalation within Astaro corp was unsuccessful.
  • 0
    Hi, guys, and welcome to the User BB!

    What's in the Astaro's IPsec log when the disconnect occurs?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Bob, here are my sanitized logs during the disconnect from the ASG. 


    2011:04:22-08:13:21  pluto[8800]: "D_REF_llOZlfdMOh_0"[14] :33735 #75: initiating Quick Mode ENCRYPT+TUNNEL+XAUTHRSASIG+XAUTHSERVER to replace #74 {using isakmp#73}

    2011:04:22-08:13:21  pluto[8800]: "D_REF_llOZlfdMOh_2"[14] :33735 #73: ignoring informational payload, type NO_PROPOSAL_CHOSEN

    2011:04:22-08:13:21  pluto[8800]: "D_REF_llOZlfdMOh_2"[14] :33735 #73: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x5cfa8b50) not found (maybe expired)

    2011:04:22-08:13:31  pluto[8800]: "D_REF_llOZlfdMOh_2"[14] :33735 #73: ignoring informational payload, type NO_PROPOSAL_CHOSEN

    2011:04:22-08:13:31  pluto[8800]: "D_REF_llOZlfdMOh_2"[14] :33735 #73: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xea5fb631) not found (maybe expired)

    2011:04:22-08:13:51  pluto[8800]: "D_REF_llOZlfdMOh_2"[14] :33735 #73: ignoring informational payload, type NO_PROPOSAL_CHOSEN

    2011:04:22-08:13:51  pluto[8800]: "D_REF_llOZlfdMOh_2"[14] :33735 #73: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x4fb1f3e6) not found (maybe expired)

    2011:04:22-08:14:31  pluto[8800]: "D_REF_llOZlfdMOh_0"[14] :33735 #75: max number of retransmissions (2) reached STATE_QUICK_I1

    2011:04:22-08:14:31  pluto[8800]: "D_REF_llOZlfdMOh_0"[14] :33735 #75: starting keying attempt 2 of at most 3

    2011:04:22-08:14:31  pluto[8800]: "D_REF_llOZlfdMOh_0"[14] :33735 #76: initiating Quick Mode ENCRYPT+TUNNEL+XAUTHRSASIG+XAUTHSERVER to replace #75 {using isakmp#73}

    2011:04:22-08:14:31  pluto[8800]: "D_REF_llOZlfdMOh_2"[14] :33735 #73: ignoring informational payload, type NO_PROPOSAL_CHOSEN

    2011:04:22-08:14:31  pluto[8800]: "D_REF_llOZlfdMOh_2"[14] :33735 #73: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x5a62a5fb) not found (maybe expired)

    2011:04:22-08:14:41  pluto[8800]: "D_REF_llOZlfdMOh_2"[14] :33735 #73: ignoring informational payload, type NO_PROPOSAL_CHOSEN

    2011:04:22-08:14:41  pluto[8800]: "D_REF_llOZlfdMOh_2"[14] :33735 #73: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x8b68502d) not found (maybe expired)

    2011:04:22-08:15:01  pluto[8800]: "D_REF_llOZlfdMOh_2"[14] :33735 #73: ignoring informational payload, type NO_PROPOSAL_CHOSEN

    2011:04:22-08:15:01  pluto[8800]: "D_REF_llOZlfdMOh_2"[14] :33735 #73: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x1ca86a4e) not found (maybe expired)

    2011:04:22-08:15:41  pluto[8800]: "D_REF_llOZlfdMOh_0"[14] :33735 #76: max number of retransmissions (2) reached STATE_QUICK_I1

    2011:04:22-08:15:41  pluto[8800]: "D_REF_llOZlfdMOh_0"[14] :33735 #76: starting keying attempt 3 of at most 3

    2011:04:22-08:15:41  pluto[8800]: "D_REF_llOZlfdMOh_0"[14] :33735 #77: initiating Quick Mode ENCRYPT+TUNNEL+XAUTHRSASIG+XAUTHSERVER to replace #76 {using isakmp#73}

    2011:04:22-08:15:41  pluto[8800]: "D_REF_llOZlfdMOh_2"[14] :33735 #73: ignoring informational payload, type NO_PROPOSAL_CHOSEN

    2011:04:22-08:15:41  pluto[8800]: "D_REF_llOZlfdMOh_2"[14] :33735 #73: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x0e044cd6) not found (maybe expired)

    2011:04:22-08:15:51  pluto[8800]: "D_REF_llOZlfdMOh_2"[14] :33735 #73: ignoring informational payload, type NO_PROPOSAL_CHOSEN

    2011:04:22-08:15:51  pluto[8800]: "D_REF_llOZlfdMOh_2"[14] :33735 #73: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xa65b70b0) not found (maybe expired)

    2011:04:22-08:16:11  pluto[8800]: "D_REF_llOZlfdMOh_2"[14] :33735 #73: ignoring informational payload, type NO_PROPOSAL_CHOSEN

    2011:04:22-08:16:11  pluto[8800]: "D_REF_llOZlfdMOh_2"[14] :33735 #73: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x3d040273) not found (maybe expired)

    2011:04:22-08:16:51  pluto[8800]: "D_REF_llOZlfdMOh_0"[14] :33735 #77: max number of retransmissions (2) reached STATE_QUICK_I1

    2011:04:22-08:17:51  pluto[8800]: "D_REF_llOZlfdMOh_0"[14] :33735 #74: IPsec SA expired (LATEST!)

    2011:04:22-08:17:51  pluto[8800]: id="2202" severity="info" sys="SecureNet" sub="vpn" event="Connection terminated" username="" variant="ipsec" srcip="" virtual_ip="10.242.5.1"

    2011:04:22-08:17:52  pluto[8800]: "D_REF_llOZlfdMOh_0"[14] :33735: deleting connection "D_REF_llOZlfdMOh_0" instance with peer  {isakmp=#0/ipsec=#0}
  • 0
    IPsec SA expired

    Is there an "inactivity timeout" setting in the Cisco client?  What happens if you turn off 'Dead peer detection' on the 'Advanced' tab?  An hour probably corresponds with the 'IPsec SA lifetime' for the policy you're using; if you change that, does the timeout change with it?  I wish I knew more about this stuff!

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    There is no inactivity timeout setting in the client, and this occurs where idle or I am actively using the client machine/internet.  I will try turning off the dead peer detection and look into the IPSec SA Lifetime as well.
  • 0
    Please tell us what you learned!

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Dead peer detection made no difference.  I haven't done anything with the IPSec SA lifetime because I haven't been able to find a reference to it.  I didn't change any of the time settings, I only followed the manual for setting up Cisco User VPN connections.
  • 0
    Please try the experiment with the Astaro's IPsec SA lifetime.  In any case, my first guess would be a client issue, but if you've connected that client to other VPN servers, then I'm still confused.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    You may also want to consider the Cisco 5.0.x versions of the Cisco IPSEC VPN Client.  The 4.x versions did have some issues that were resolved in the 5.x line and the 4.x versions are end of life and no longer supported by Cisco.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0 in reply to Scott_Klassen
    You may also want to consider the Cisco 5.0.x versions of the Cisco IPSEC VPN Client.  The 4.x versions did have some issues that were resolved in the 5.x line and the 4.x versions are end of life and no longer supported by Cisco.


    I don't believe that there is a version 5.x of the cisco client for Mac.  I have a CCO login and am unable to find higher that what I have for Mac.
Unfiltered HTML