CISCO VPN disconnecting

[ViviTheMage]

We have well over 100 users who use VPN...via Verizon Air Cards, Sprint Air Cards, and home cable/DSL connectins...even some Dial up users in the mines.

We have a handful of users who get disconnected from VPN every 1-2 hours, for no apparent reason. Yet we have users with the same setup's (D630, Verizon Air Card PC5750's, etc) and they will work fine for hours/days without getting disconnected. It seems to be on EVDO, and EXTENDED/ENHANCED.

this is our .PCF file...I put xxxxx in 3 spots to remove some information. :

[main]
Description=
Host=xxxxxxxxx
AuthType=1
GroupName=xxxxxxxxx
GroupPwd=
enc_GroupPwd=xxxxxxxxxx
EnableISPConnect=0
ISPConnectType=0
ISPConnect=NationalAccess - BroadbandAccess
ISPPhonebook=C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk
ISPCommand=
Username=
SaveUserPassword=0
UserPassword=
enc_UserPassword=
NTDomain=
EnableBackup=0
BackupServer=
EnableMSLogon=1
MSLogonType=0
EnableNat=1
TunnelingMode=0
TcpTunnelingPort=80
CertStore=0
CertName=
CertPath=
CertSubjectName=
CertSerialHash=00000000000000000000000000000000
SendCertChain=0
PeerTimeout=90
EnableLocalLAN=0
ForceNat=1

We used to have a PPTP VPN connection which users worked great on, we never had issues with it...now we have all of these random disconncts.

VPN client 5.0.03.0560

 

[ViviTheMage]

thoughts?

 

[Deviant Grasshopper]

Right click on the client icon and take a look at the logs. Turn on verbose logging as well.


I've had major issues with verizon aircards not giving a gateway. Since it emulates a dial-up connection it seems like some towers don't provide a gateway or the gw they provide doesn't work. For example, if I connect at my work I get an actual gateway but at my house I get 0.0.0.0. The client will connect and work for awhile but will eventually disconnect due to policy issues.

 

[ViviTheMage]

What can we do about the towers not giving a gateway? Just live with it...?

I do not see anything in the log's ... I also do not see a verbose logging option.

under statistics it says 'transparent tunneling:active on UDP port 4500' should I add 4500 to UDP in windows firewall? I forgot to add...all machines are XP PRO SP2...with McAfee and windows firewall on.

 

[Deviant Grasshopper]

Originally posted by: ViviTheMage
What can we do about the towers not giving a gateway? Just live with it...?

I do not see anything in the log's ... I also do not see a verbose logging option.

under statistics it says 'transparent tunneling:active on UDP port 4500' should I add 4500 to UDP in windows firewall? I forgot to add...all machines are XP PRO SP2...with McAfee and windows firewall on.

I wrote a script that would figure out the first hop and use that as the gateway but ultimately I upgraded our vpn appliance and got a new client that worked around the issue..

 

[stlcardinals]

What Firewall are you using? What version of the VPN client are you using?

If at all possible I would try using the new Cisco AnyConnect client, but it would depend on what type of license you have and what firewall you have.

 

[ViviTheMage]

Originally posted by: stlcardinals
What Firewall are you using? What version of the VPN client are you using?

If at all possible I would try using the new Cisco AnyConnect client, but it would depend on what type of license you have and what firewall you have.

windows firewall, MCAFEE does not have it's firewall on.

Originally posted by: Deviant Grasshopper

Originally posted by: ViviTheMage
What can we do about the towers not giving a gateway? Just live with it...?

I do not see anything in the log's ... I also do not see a verbose logging option.

under statistics it says 'transparent tunneling:active on UDP port 4500' should I add 4500 to UDP in windows firewall? I forgot to add...all machines are XP PRO SP2...with McAfee and windows firewall on.

I wrote a script that would figure out the first hop and use that as the gateway but ultimately I upgraded our vpn appliance and got a new client that worked around the issue..

mind sharing this script? Did it FIX the issue? which client did you upgrade to?

 

[ViviTheMage]

We have Cisco AnyConnect client, but it's only for us in IT at home...we do not want to give it out to users, as they will use it on there PC's at home..not good.

 

[ViviTheMage]

Originally posted by: ViviTheMage
What can we do about the towers not giving a gateway? Just live with it...?

I do not see anything in the log's ... I also do not see a verbose logging option.

under statistics it says 'transparent tunneling:active on UDP port 4500' should I add 4500 to UDP in windows firewall? I forgot to add...all machines are XP PRO SP2...with McAfee and windows firewall on.

I am still wondering if this is an issue? Because we also have a guy on ethernet at his home who gets disconnected for no apparanent reason, but he is plugged in via wall AC adapter, ethernet cable (his internet connection stays active, even if VPN disconncts).

 

[ViviTheMage]

?

 

[sparqmark]

Old Thread... however.

Try looking for a security setting called secret privacy forwarding. This setting will disconnect (quick) to reset rsa keys therefore possibly disconnecting a user. If disabled it will default back to level 1 and happen every 8 hours or so. Hope this helps.