This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cisco VPN Disconnects after an hour

Following the manual for setting up the Cisco VPN client for a remote VPN to the Astaro gateway, I've got my VPN up and working. However, each time I connect to the VPN my connection will only stay active for an hour. After and hour it disconnects. I am running version 4.9.01.0280 of the cisco vpn client on OS X 10.6.7 and ASG v8.102.

I cannot figure out why it is auto disconnecting me on a regular (very) basis. Anyone seen this before?

This thread was automatically locked due to age.

0 Rogue Agent over 13 years ago in reply to BAlfson

Please try the experiment with the Astaro's IPsec SA lifetime.  In any case, my first guess would be a client issue, but if you've connected that client to other VPN servers, then I'm still confused.

Cheers - Bob

I dug around and found the ASG setting for IPSec lifetime.  The problem is that I don't know policy to edit, because I'm unsure which I'm using.  Like I mentioned before I followed these instructions for setting up the VPN:

https://support.astaro.com/support/index.php/Cisco_VPN_Client_How_To

No where in there does it even talk about IPSec policies, and their subsequent settings.  All of the policies are set as they were by default.  I reluctant to just change configs without any indication that those settings (or which ones) are even being used.
Cancel
Vote Up 0 Vote Down

Cancel
0 Rogue Agent over 13 years ago in reply to BAlfson

Please try the experiment with the Astaro's IPsec SA lifetime. In any case, my first guess would be a client issue, but if you've connected that client to other VPN servers, then I'm still confused.

Cheers - Bob

Through my client statistics, I was able to guess either the AES 256, or AES 256 PFS IPSec SA. Both were set by default to 3600 seconds however I changed both to much longer times but my VPN connection would still drop after and hour. No apparent change.
Cancel
Vote Up 0 Vote Down

Cancel
0 Rogue Agent over 13 years ago in reply to Rogue Agent

In case there was any confusion. I am still having issues. Considering returning to my little Netscreen. A VPN that stays up is better than pretty graphs any day.
Cancel
Vote Up 0 Vote Down

Cancel
0 kwyrick over 13 years ago in reply to Rogue Agent

In case there was any confusion. I am still having issues. Considering returning to my little Netscreen. A VPN that stays up is better than pretty graphs any day.

I have seen this happen at one of my locations. I switched to the openvpn client and it resolved the problem. I was going to re-ISO the appliance and switch them back to the Astaro client to see if the problem went away but have not had time yet.
I suspect that will resolve the problem.
Cancel
Vote Up 0 Vote Down

Cancel
0 Rogue Agent over 13 years ago

As far as I can see, the OpenVPN clients for mac are tunnelblick and Viscosity. Both seem to use TLS/SSL and not IPSec tunnels. I'm also in a situation where I'd much prefer to use the Cisco VPN client because I utilize it to connect to multiple VPNs.
Cancel
Vote Up 0 Vote Down

Cancel

0 Abyss_X over 13 years ago in reply to Rogue Agent

Hi, i have the same problem, i post it last at the german language forum without any success.

I only have the problems from home office, where i am behind a bintec router. If i start the connection over umts all work fine, if i connect over dsl the connection disconnect after one hour. Otherwise if i connect from homeoffice to a cisco asa the vpn connection does not close after one hour.

Here are the Logfiles

Cisco Client Log

783    20:03:37.025  08/01/11  Sev=Info/4	IKE/0x63000014

RECEIVING >> ISAKMP OAK INFO *(HASH, NOTIFY[[[[:D]]]]PD_REQUEST) to 80.146.X.X



790    20:03:46.525  08/01/11  Sev=Info/4	IKE/0x63000014

RECEIVING >> ISAKMP OAK INFO *(HASH, NOTIFY[[[[:D]]]]PD_REQUEST) to 80.146.X.X



792    20:03:57.025  08/01/11  Sev=Info/4	IKE/0x63000014

RECEIVING >> ISAKMP OAK INFO *(HASH, DEL) to 80.146.X.X



795    20:04:07.525  08/01/11  Sev=Info/4	IKE/0x63000058

Received an ISAKMP message for a non-active SA, I_Cookie=00A65BC15FB1F9F4 R_Cookie=CCAEE8D3AF9BB9D3



796    20:04:07.525  08/01/11  Sev=Info/4	IKE/0x63000014

RECEIVING

ASG IPSec Log/B]
2011:08:01-20:03:39 Astaro-HQ pluto[7011]: | *received whack message
2011:08:01-20:03:39 Astaro-HQ pluto[7011]: listening for IKE messages
2011:08:01-20:03:39 Astaro-HQ pluto[7011]: | found lo with address
2011:08:01-20:03:39 Astaro-HQ pluto[7011]: | found lo with address 0000:0000:0000:0000:0000:0000:0000:0001
2011:08:01-20:03:39 Astaro-HQ pluto[7011]: forgetting secrets
2011:08:01-20:03:39 Astaro-HQ pluto[7011]: loading secrets from "/etc/ipsec.secrets"
2011:08:01-20:03:39 Astaro-HQ pluto[7011]:   loaded PSK secret for 80.146.210.35 213.120.143.203
2011:08:01-20:03:39 Astaro-HQ pluto[7011]:   loaded private key from 'REF_gwHsWpoDtB.pem'
2011:08:01-20:03:39 Astaro-HQ pluto[7011]: | next event EVENT_REINIT_SECRET in 208 seconds
2011:08:01-20:03:39 Astaro-HQ pluto[7011]: |
2011:08:01-20:03:39 Astaro-HQ pluto[7011]: | *received whack message
2011:08:01-20:03:39 Astaro-HQ pluto[7011]: forgetting secrets
2011:08:01-20:03:39 Astaro-HQ pluto[7011]: loading secrets from "/etc/ipsec.secrets"
2011:08:01-20:03:39 Astaro-HQ pluto[7011]:   loaded PSK secret for 80.146.210.35 213.120.143.203
2011:08:01-20:03:39 Astaro-HQ pluto[7011]:   loaded private key from 'REF_gwHsWpoDtB.pem'
2011:08:01-20:03:39 Astaro-HQ pluto[7011]: loading ca certificates from '/etc/ipsec.d/cacerts'
2011:08:01-20:03:39 Astaro-HQ pluto[7011]:   loaded ca certificate from '/etc/ipsec.d/cacerts/REF_zhjGmaFxMr.pem'
2011:08:01-20:03:39 Astaro-HQ pluto[7011]: |   authcert is already present and identical
2011:08:01-20:03:39 Astaro-HQ pluto[7011]:   loaded ca certificate from '/etc/ipsec.d/cacerts/REF_AEQnGJaeNm.pem'
2011:08:01-20:03:39 Astaro-HQ pluto[7011]: |   authcert is already present and identical
2011:08:01-20:03:39 Astaro-HQ pluto[7011]: loading aa certificates from '/etc/ipsec.d/aacerts'
2011:08:01-20:03:39 Astaro-HQ pluto[7011]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
2011:08:01-20:03:39 Astaro-HQ pluto[7011]: loading attribute certificates from '/etc/ipsec.d/acerts'
2011:08:01-20:03:39 Astaro-HQ pluto[7011]: Changing to directory '/etc/ipsec.d/crls'
2011:08:01-20:03:39 Astaro-HQ pluto[7011]: | next event EVENT_REINIT_SECRET in 208 seconds
2011:08:01-20:03:47 Astaro-HQ pluto[7011]: |
2011:08:01-20:03:47 Astaro-HQ pluto[7011]: | *received 92 bytes from 88.74.152.146:35682 on eth1
2011:08:01-20:03:47 Astaro-HQ pluto[7011]: | ICOOKIE:  00 a6 5b c1  5f b1 f9 f4
2011:08:01-20:03:47 Astaro-HQ pluto[7011]: | RCOOKIE:  cc ae e8 d3  af 9b b9 d3
2011:08:01-20:03:47 Astaro-HQ pluto[7011]: | peer:  58 4a 98 92
2011:08:01-20:03:47 Astaro-HQ pluto[7011]: | state hash entry 16
2011:08:01-20:03:47 Astaro-HQ pluto[7011]: | state object #28398 found, in STATE_MODE_CFG_R1
2011:08:01-20:03:47 Astaro-HQ pluto[7011]: | received DPD notification R_U_THERE with seqno = 2177770552
2011:08:01-20:03:47 Astaro-HQ pluto[7011]: | sent DPD notification R_U_THERE_ACK with seqno = 2177770552
2011:08:01-20:03:47 Astaro-HQ pluto[7011]: | next event EVENT_REINIT_SECRET in 200 seconds
2011:08:01-20:03:57 Astaro-HQ pluto[7011]: |
2011:08:01-20:03:57 Astaro-HQ pluto[7011]: | *received 92 bytes from 88.74.152.146:35682 on eth1
2011:08:01-20:03:57 Astaro-HQ pluto[7011]: | ICOOKIE:  00 a6 5b c1  5f b1 f9 f4
2011:08:01-20:03:57 Astaro-HQ pluto[7011]: | RCOOKIE:  cc ae e8 d3  af 9b b9 d3
2011:08:01-20:03:57 Astaro-HQ pluto[7011]: | peer:  58 4a 98 92
2011:08:01-20:03:57 Astaro-HQ pluto[7011]: | state hash entry 16
2011:08:01-20:03:57 Astaro-HQ pluto[7011]: | state object #28398 found, in STATE_MODE_CFG_R1
2011:08:01-20:03:57 Astaro-HQ pluto[7011]: | received DPD notification R_U_THERE with seqno = 2177770553
2011:08:01-20:03:57 Astaro-HQ pluto[7011]: | sent DPD notification R_U_THERE_ACK with seqno = 2177770553
2011:08:01-20:03:57 Astaro-HQ pluto[7011]: | next event EVENT_REINIT_SECRET in 190 seconds
2011:08:01-20:04:08 Astaro-HQ pluto[7011]: |
2011:08:01-20:04:08 Astaro-HQ pluto[7011]: | *received 92 bytes from 88.74.152.146:35682 on eth1
2011:08:01-20:04:08 Astaro-HQ pluto[7011]: | ICOOKIE:  00 a6 5b c1  5f b1 f9 f4
2011:08:01-20:04:08 Astaro-HQ pluto[7011]: | RCOOKIE:  cc ae e8 d3  af 9b b9 d3
2011:08:01-20:04:08 Astaro-HQ pluto[7011]: | peer:  58 4a 98 92
2011:08:01-20:04:08 Astaro-HQ pluto[7011]: | state hash entry 16
2011:08:01-20:04:08 Astaro-HQ pluto[7011]: | state object #28398 found, in STATE_MODE_CFG_R1
2011:08:01-20:04:08 Astaro-HQ pluto[7011]: | ICOOKIE:  00 a6 5b c1  5f b1 f9 f4
2011:08:01-20:04:08 Astaro-HQ pluto[7011]: | RCOOKIE:  cc ae e8 d3  af 9b b9 d3
2011:08:01-20:04:08 Astaro-HQ pluto[7011]: | peer:  58 4a 98 92
2011:08:01-20:04:08 Astaro-HQ pluto[7011]: | state hash entry 16
2011:08:01-20:04:08 Astaro-HQ pluto[7011]: | state object #28398 found, in STATE_MODE_CFG_R1
2011:08:01-20:04:08 Astaro-HQ pluto[7011]: "D_REF_UsilxUpMFX_3"[3] 88.74.152.146:35682 #28398: received Delete SA payload: deleting ISAKMP State #28398
2011:08:01-20:04:08 Astaro-HQ pluto[7011]: | ICOOKIE:  00 a6 5b c1  5f b1 f9 f4
2011:08:01-20:04:08 Astaro-HQ pluto[7011]: | RCOOKIE:  cc ae e8 d3  af 9b b9 d3
2011:08:01-20:04:08 Astaro-HQ pluto[7011]: | peer:  58 4a 98 92
2011:08:01-20:04:08 Astaro-HQ pluto[7011]: | state hash entry 16
2011:08:01-20:04:08 Astaro-HQ pluto[7011]: "D_REF_UsilxUpMFX_3"[3] 88.74.152.146:35682: deleting connection "D_REF_UsilxUpMFX_3" instance with peer 88.74.152.146 {isakmp=#0/ipsec=#0}
2011:08:01-20:04:08 Astaro-HQ pluto[7011]: | next event EVENT_REINIT_SECRET in 179 seconds
2011:08:01-20:04:45 Astaro-HQ pluto[7011]: |
2011:08:01-20:04:45 Astaro-HQ pluto[7011]: | *received kernel message
2011:08:01-20:04:45 Astaro-HQ pluto[7011]: | next event EVENT_REINIT_SECRET in 142 seconds
2011:08:01-20:04:45 Astaro-HQ pluto[7011]: |
2011:08:01-20:04:45 Astaro-HQ pluto[7011]: | *received kernel message
2011:08:01-20:04:45 Astaro-HQ pluto[7011]: | next event EVENT_REINIT_SECRET in 142 seconds
2011:08:01-20:05:33 Astaro-HQ pluto[7011]: |
2011:08:01-20:05:33 Astaro-HQ pluto[7011]: | *received kernel message
2011:08:01-20:05:33 Astaro-HQ pluto[7011]: | next event EVENT_REINIT_SECRET in 94 seconds
2011:08:01-20:05:33 Astaro-HQ pluto[7011]: |

Here is the thread at the german forum:

https://community.sophos.com/products/unified-threat-management/astaroorg/f/68/t/60305

Cu, Abyss_X

0 apnet over 13 years ago

Hy Guys,

I believe i had the same Problem by one of my customers. the remote office are connected over a "normal" t-online Router to the internet and the internal client open then a CISCO VPN Connection.
The problem was the t-online Router doesn't allow the ping from the Internet / ASG Headquarter. So i allow the Ping from the Headquarter ASG on the t-online router...
Now it works fine...
Is anything about TimeBLABLABLA...
Cancel
Vote Up 0 Vote Down

Cancel
0 Abyss_X over 13 years ago in reply to apnet

No ideas to solve the problem?

Cu
Cancel
Vote Up 0 Vote Down

Cancel
0 Abyss_X over 12 years ago in reply to Abyss_X

last attempt...

Cu
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 12 years ago

I found this in the KIL:
ID14692 8.000 Terminating Cisco Remote access connections after end of phase 2 lifetime
------------------------------------------------------------------------
Description:
Workaround: Increase the lifetimes for IKE and IPsec on the ASG. Since
Cisco VPN uses a fixed policy you need to edit it on the
command line via confd-client. It's at
OBJS:ipsec->policy->REF_IPsecPolicyCisco. Values to be
increased are ike_sa_lifetime and ipsec_sa_lifetime.
Maximum value accepted by pluto is 86400.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel