Cisco VPN Client: Idle timeout every few minutes--pls help
cool.d...@gmail.com
I can make the VPN connection to work fine, but if I don't have network
activity for something like 4 or 5 minutes, the VPN connection dies
with error:
Secure VPN Connection termindated by Peer.
Reason 431: Configured Maximum Idle Time for Session Exceeded.
I am using a Cisco VPN Client 4.0.5(c) / WinXP Pro to connect to work
from home. I have a wireless DSL router (Westel) from Verizon.
I am at my wit's end. The VPN folks claim all is well at their end,
they do not have idle timout setting of few minutes, and that something
is wrong at my end. They may be right, but I am disappointed that they
can't help me troubleshoot at my end, if in fact the issue is at my
end.
So far:
-Tried wired connection, instead of wireless
-Made sure I am using IPSEC over UDP instead of TCP (on VPN folk's
recommandation)
-Added ForcedKeepAlives=1 to my profile
-Enabled IPSEC ESP (client) and IPSEC IKE (port forwarding) services
in my home router (honestly don't know what they mean, just monkeying
around)
-I even tried to run a bat script that simply pings a server, sleeps
for 3 mins and goes at it again.
-I tried keeping a putty telnet session to a server open.
No matter what, unless I am actively using the browser or some
appliation that generates network traffic, VPN connection is gone in a
few minutes?
What on the earth is happening??
TIA.
Here's a chunk of log from my VPN client that I believe captures a
timeout which may mean something to any of you gurus:
------------
654 09:27:15.375 07/14/06 Sev=Info/6 IKE/0x63000054
Sent a keepalive on the IPSec SA
655 09:27:25.375 07/14/06 Sev=Info/6 IKE/0x63000054
Sent a keepalive on the IPSec SA
656 09:27:35.375 07/14/06 Sev=Info/6 IKE/0x63000054
Sent a keepalive on the IPSec SA
657 09:27:45.312 07/14/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 198.74.13.200
658 09:27:45.312 07/14/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, DEL) from 198.74.13.200
659 09:27:45.312 07/14/06 Sev=Info/5 IKE/0x63000018
Deleting IPsec SA: (OUTBOUND SPI = 394A9D0B INBOUND SPI = DD22B922)
660 09:27:45.312 07/14/06 Sev=Info/4 IKE/0x63000048
Discarding IPsec SA negotiation, MsgID=0AD309AA
661 09:27:45.312 07/14/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 198.74.13.200
662 09:27:45.312 07/14/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, DWR) from 198.74.13.200
663 09:27:45.312 07/14/06 Sev=Info/4 IKE/0x63000080
Delete Reason Code: 8 --> PEER_DELETE-IKE_DELETE_IDLE_TIMEOUT.
664 09:27:45.312 07/14/06 Sev=Info/5 IKE/0x6300003C
Received a DELETE payload for IKE SA with Cookies:
I_Cookie=7ADB9543A0410F64 R_Cookie=FA3EED4FDEC26B35
665 09:27:45.312 07/14/06 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=7ADB9543A0410F64
R_Cookie=FA3EED4FDEC26B35) reason = PEER_DELETE-IKE_DELETE_IDLE_TIMEOUT
666 09:27:45.375 07/14/06 Sev=Info/4 IPSEC/0x63700013
Delete internal key with SPI=0x22b922dd
667 09:27:45.375 07/14/06 Sev=Info/4 IPSEC/0x6370000C
Key deleted by SPI 0x22b922dd
668 09:27:45.375 07/14/06 Sev=Info/4 IPSEC/0x63700013
Delete internal key with SPI=0x0b9d4a39
669 09:27:45.375 07/14/06 Sev=Info/4 IPSEC/0x6370000C
Key deleted by SPI 0x0b9d4a39
670 09:27:45.875 07/14/06 Sev=Info/4 IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=7ADB9543A0410F64
R_Cookie=FA3EED4FDEC26B35) reason = PEER_DELETE-IKE_DELETE_IDLE_TIMEOUT
671 09:27:45.875 07/14/06 Sev=Info/4 CM/0x63100013
Phase 1 SA deleted cause by PEER_DELETE-IKE_DELETE_IDLE_TIMEOUT. 0
Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
672 09:27:45.875 07/14/06 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
673 09:27:45.875 07/14/06 Sev=Info/6 CM/0x63100031
Tunnel to headend device natural.keyspanenergy.com disconnected:
duration: 0 days 0:4:46
674 09:27:45.875 07/14/06 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
www.BradReese.Com
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_tech_note09186a00801f253d.shtml
Message Type - Select "Reason"
Message Number/Value - Select "431"
Reason 431: Configured Maximum Idle Time for Session Exceeded.
-------------------------------------------
Description or Action:
The VPN connection was idle for longer than the time allowed by the
administrator.
**********************************************************************
Try going to User Management, Groups, select the group that the user
belongs to.
Then, select Authentication Servers.
Hightlight the server.
Then, select Modify.
Then, change the Timeout value from 1 to 4
Hope this helps.
Brad Reese
BradReese.Com - Global Cisco Systems Pre-Sales Support
http://www.bradreese.com/contact-us.htm#GLOBAL
1293 Hendersonville Road, Suite 17
Asheville, North Carolina USA 28803
USA & Canada: 877-549-2680
International: 828-277-7272
Fax: 775-254-3558
AIM: R2MGrant
Website: http://www.bradreese.com/contact-us.htm
rab...@gmail.com
VPN folks have earlier insisted that server side setting is not the
issue, so this is useful info.
I had seen the error explanation, but not on Cisco's site, so I now
have something authoritative I can show to VPN folks. The fix you
mentioned I hadn't seen earlier, so that's definitely helpful.
I am curious...what is the meaning of these settings from 1 to 4? Is 4
mins the max idle time that is allowed? If that's true, it explains why
I timeout after around 4 mins or so. The application I mainly use over
VPN is not very chatty, so unless I am using it actively, (say I
swithced to MS Word for a few minutes), it would make sense that I time
out after 4 mins. However, I can't believe that 4 mins is all you get,
so I hope my understanding is wrong.
Regards.
www.BradReese.Com wrote:
> You may wish to investigate the Cisco VPN Client GUI Error Lookup Tool:
...
...