1

I have a number of Cisco ASA 5505 and PIX 506e around the world acting as VPN endpoints. They connect to a Cisco VPN Concentrator 3000 at HQ. I am using Easy VPN to set up the VPN (i.e. most of the config is central on the VPN Concentrator) The majority of endpoints work absolutely fine.

However, there are three that do not. 2 ASAs and 1 PIX get disconnected from one of the VLANs on our network. This is the VLAN that my monitoring server runs on - so those endpoints look as if they have gone down. However, I can still ping the endpoints from our user VLAN. If I then SSH onto the endpoint, and do a ping to my monitoring server, the connection comes back. Then after about 10 minutes it stops working again.

I've looked at the configuration of my endpoints, and I can't see any significant differences. One common feature is that the affected endpoints are connecting to the internet via retail quality routers. However, I don't see how this could affect traffic within a VPN tunnel.

Any ideas or suggestions? I've also got a thread on Cisco's forums at https://supportforums.cisco.com/thread/344638. One other person has reported the same problem.

dunxd
  • 9,632
  • 22
  • 81
  • 118
  • Hah - I am SO glad we replaced that old VPN Concentrator with a ASA 5510! We don't see this problem anymore since then, but other changes have also occurred in the last two years. – dunxd Feb 01 '12 at 17:11

1 Answers1

1

I think you mean to say "subnet" every place you have "vlan". I don't think the vpn3k even supported assigning vpn tunnels to vlans. if you are using split-tunneling and pushing out 2 different routes for each of those subnets, then on the pix you end up with 1 ipsec security-association per subnet.

It sounds like these are timing out for some reason..

I'm not sure why that would happen, but I do know that I've been using this configuration for years without issue:

vpnclient server server1 server2
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup group password ********
vpnclient username user password ********
vpnclient management tunnel mana.geme.nt.subnet 255.255.255.0
vpnclient enable

Is that different from the configuration you are running?

Justin
  • 3,856
  • 18
  • 21
  • My config is almost exactly the same. Only missing the management tunnel line. Each VLAN we have gets a subnet, so I expect you are right on that count. So are you saying that each subnet gets its own tunnel, and for some reason that is timing out? Interestingly, we have lost this problem on one of the ASAs by removing a cheap router from the equation. The D-link used to be connected in between the ASA and the ISP equipment. Now the ASA connects directly to the ISP equipment, and the problem has gone. In some cases the cheap routers **is** the ISP equipment though, so not quite as easy. – dunxd Feb 12 '10 at 15:47
  • Are you running ipsec over udp at all? I've found it to be a little more reliable than plain ipsec, especially when cheap routers are involved. – Justin Feb 15 '10 at 00:42