SSL VPN (TCP) Static IP Address issues

Question

Hello, 
 
 I am experiencing the issues listed in NC-120119 when I am using TCP mode for my SSL VPNs. 
 
 I have a select number of users who I required to get a static IP address, however when they are connected, if they change network type and it tries to reconnect, I get the auth error described in NC-120119. 
 
 All the symptoms I have are consistent with NC-120119, except I am not using UDP, I am definitely on TCP. 
 Is this a further known issue? 
 
 Thanks. 
 
 SFOS 20.0.0 GA-Build222

Sreenivasulu Naidu · Accepted Answer

Hi Hugh D , This is a known limitation that on n/w switch (even with TCP) there is no mechanism that conveys this to SFOS and connection will remain Up on SFOS and immediate client reconnect will result in AUTH_FAIL as the assigned static ip to the RA client is still in use in SFOS' context; this happens until &lsquo;disconnect dead peer&rsquo; kicks in ( on SFOS this can be set to 60 seconds minimum), post this timer, connection is removed by SFOS and RA client can re-connect successfully. Please set the config on SFOS: from Remote access VPN - SSLVPN - SSLVPN global settings - Disconnect dead peer after: set this timer as per the acceptable value.

vamshi d · Answer

Hi Hugh D , NC-120119 issue is seen only if the sslvpn ra tunnel mode is of UDP and not applicable to sslvpn tunnel mode of TCP.

There was another NC-124684, where static address is not released sporiadically (when login fails for a sslvpn user) which is fixed in 20.0 MR1.

If you observe the issue on 20.0 MR1 Can you DM me the access-id of the XG/XGS to check the logs further.

SSL VPN (TCP) Static IP Address issues

Top Replies