cisco vpn client session does not time out


Users were not able to get connected to my PIX 515E 6.3 using VPN client. Upon further investigation I found that users could initially connect to the PIX. But if they move out of the wireless range (i.e. lose their network connectivity) while they are connected to the PIX, then they will not be able to get connected back to pix.

I changed the idle-time for the vpn profile from 3 hours and reduced it to 3 minutes. Still the session time out does not work and I could see multiple entires for the user while giving "sh isakmp sa".

I searched the group for similar problems but could not find any. Have anyone of you faced a similar problem. Does any solution come into your mind ?

Thanks, Chery

Reply to
Loading thread data ...

Are you set for isakmp identity hostname or isakmp identity address

The identity is used when a new phase 1 tunnel has to be negotiated due to disconnection. The client sends its identity as part of an ISAKMP clause that means "remove all previous security associations from this identity". If the identity offered upon reconnect does not happen to match the identity that was previously offered, then the previous SA are not going to be thrown away, and it is going to take time before the PIX figures out that it should no longer bother to match against those particular ACL entries associated with the SAs.

Reply to
Walter Roberson Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.