[vpn-help] Temporary traffic stops while connected to Cisco VPN
Matthew Grooms
mgrooms at shrew.net
Fri Dec 3 16:40:55 CST 2010
On 11/29/2010 9:44 AM, Jochen De Smet wrote:
>
> I'm not 100% sure what kind of Cisco is on the other side; I configured
> shrew
> by importing the .pfc file. Here's a summary of the config options:
>
> - general: hostname and port set, auto config set to "ike config pull"
> - client: NAT traversal enabled, keep-alive packet rate 15 secs, ike
> fragmentation disabled, all "other options" checked
> - phase1: aggressive, group2, auto, key life time limit 86400 secs, 0
> data lmit
> - phase2: auto, auto, auto, compress disabled, key life time limit 3600
> secs, 0 data limit
>
> Symptom:
> Sometimes all VPN traffic stops for a minute or so, then after that
> things usually work again.
> When looking at the "Network" tab of the established connection, it seem
> to always show
> the number of establish associations as (expired + 2). Then after a
> while expired increases
> by 1 and that's when things work again.
>
> I'm not sure if it's related, but the shrew client also appears to take
> a lot longer to enable the
> initial tunnel than the cisco client ( +-30 seconds vs +-3 seconds)
>
I'm not sure about this. Do you have any debug log output that shows
this problem happening?
> Any idea what the problem is or what to do about it? It's a bit annoying
> since the pause is usually long
> enough to make my ssh sessions disconnect.
>
Have you noticed that the traffic passing correctly at a specific time
after the tunnel has been established? It could be that you have a
pahse2 timeout mismatch between the client and the gateway. To test the
client in my lab, I set it to use 60sec IPsec SA's to ensure that it
works well during phase2 rekeys. However, your cisco gateway may be
configured to behave differently, allowing a phase2 lifetime mismatch to
occur.
My other guess is that there is a firewall state expiring for the UDP
port mapping. Have you tried forcing NAT-T to enable to see if it has an
effect? The reason I suggest this is that keepalive messages aren't sent
unless NAT is detected and NAT-T is enabled.
-Matthew
More information about the vpn-help
mailing list