Question

Locked

ASA 5505 (simultaneous VPN sessions disconnect)

By around ·
I am having an issue where only one VPN session is allowed to connect at any given time. For example: lets say Client #1 is connected, as soon as Client #2 connects, Client #1 is disconnected with the pop-up error (Reason 433: Reason Not Specified by Peer). Client #2 continues to establish the connection and successfully connects.

These 3x syslog messages occur immediately before the first syslog message related to Client2's connection appears. (read bottom up)

14:09:51 Group = Remote_Users_0, Username = Client1, IP = x.x.68.63, Session disconnected. Session Type: IPsec, Duration: 0h:00m:15s, Bytes xmt: 0, Bytes rcv: 0, Reason: Peer Reconnected

14:09:50 IPSEC: An outbound remote access SA (SPI= 0x926D332A) between x.x.57.203 and x.x.68.63 (user= Client1) has been deleted.

14:09:49 IPSEC: An inbound remote access SA (SPI= 0xEE41DA6A) between x.x.57.203 and x.x.68.63 (user= Client1) has been deleted.

Thanks Everyone!

{current running config}

--begin paste--

home# sh run
: Saved
:
ASA Version 8.0(3)
!
hostname home
domain-name x.dyndns.org
enable password x encrypted
names
name x.x.15.152 desktop_work
name 10.1.1.10 laptop_home
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group qwestdsl
ip address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd x encrypted
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
domain-name x.dyndns.org
object-group service vnc tcp
port-object eq 5900
access-list outside_access_in extended permit ip any interface outside
access-list outside_access_in extended permit tcp host desktop_work interface outside eq 5900
access-list Remote_Users_0_splitTunnelAcl standard permit 10.1.1.0 255.255.255.0
access-list no_nat extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list no_nat extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool Remote_Users_0_pool 10.1.2.30-10.1.2.39 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 5900 laptop_home 5900 netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http x.x.15.0 255.255.255.0 outside
http 10.1.1.0 255.255.255.0 inside
http 10.1.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn home
subject-name CN=home
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 31
308201bc 30820125 a0030201 02020131 300d0609 2a864886 f70d0101 04050030
24310d30 0b060355 04031304 686f6d65 31133011 06092a86 4886f70d 01090216
04686f6d 65301e17 0d303930 36303530 34313433 325a170d 31393036 30333034
x
e13445f9 2c5d884f 02030100 01300d06 092a8648 86f70d01 01040500 03818100
d40b0643 f42090e6 d9c4457d 93f6b8bb f2f28abe 3fe37344 9dd0b6b4 fd6b3a7d
7087ddb5 757a654f 31c39c03 df51d32f d2da5ee2 3236c51a 0b7ddc0a 57832cfb
e788a5d9 141d2fcf b835b9dd 34118d22 da0c73e8 1c4450aa 060ba798 841c23a6
5e09b7e2 76a2ef91 af94a24c 8197f22c 283a7b2f 591c1e8b c94e16d8 54ba34a6
quit
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
vpn-addr-assign local reuse-delay 120
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 inside
ssh x.x.0.0 255.255.0.0 outside
ssh timeout 5
ssh version 2
console timeout 0
vpdn group qwestdsl request dialout pppoe
vpdn group qwestdsl localname x@qwest.net
vpdn group qwestdsl ppp authentication chap
vpdn username x@qwest.net password ********* store-local
dhcpd auto_config outside
!
dhcpd address 10.1.1.50-10.1.1.81 inside
dhcpd dns x.x.3.65 x.x.2.65 interface inside
dhcpd lease 2880 interface inside
dhcpd ping_timeout 200 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics
group-policy DfltGrpPolicy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Remote_Users_0_splitTunnelAcl
group-policy Remote_Users_0 internal
group-policy Remote_Users_0 attributes
dns-server value x.x.2.65 x.x.3.65
vpn-simultaneous-logins 3
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Remote_Users_0_splitTunnelAcl
username Client1 password x encrypted privilege 15
username Client2 password x encrypted privilege 15
tunnel-group Remote_Users_0 type remote-access
tunnel-group Remote_Users_0 general-attributes
address-pool (inside) Remote_Users_0_pool
address-pool Remote_Users_0_pool
default-group-policy Remote_Users_0
tunnel-group Remote_Users_0 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:x2bb335147c1b85615d1
: end

--end paste--

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Share your knowledge
Back to Networks Forum
2 total posts (Page 1 of 1)  

Related Discussions

Related Forums