Using Windows XP and Cisco VPN client version 5.0.4.xxx to connect to a remote customer site. We are able to establish the connection and start an RDP session, but within 1-2 minutes the connection drops and the VPN connection disconnects. The PC making the connection is on a DMZ which is NATed to a public IP address.
If we move the PC directly onto the internet without being on the DMZ the connection works and we don't encounter any disconnects. We use a PIX 515E running 7.2.4 and don't have any problems with similar setups connecting to other customer sites from the DMZ.
The VPN setup on the client side is pretty basic, using IPSec over TCP port 10000. Not sure what device they are using on the peer, but my guess would be an ASA.
Any idea as to what the problem would be? Below is the logs from the VPN client when the problem occurs. The real IP address has been changed to: RemotePeerIP.
4 14:39:30.593 09/23/09 Sev=Info/4 CM/0x63100024
Attempt connection with server "RemotePeerIP"
5 14:39:30.593 09/23/09 Sev=Info/6 CM/0x6310002F
Allocated local TCP port 1942 for TCP connection.
6 14:39:30.796 09/23/09 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
7 14:39:30.796 09/23/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
8 14:39:30.796 09/23/09 Sev=Info/6 IPSEC/0x6370002C
Sent 256 packets, 0 were fragmented.
9 14:39:30.796 09/23/09 Sev=Info/6 IPSEC/0x63700020
TCP SYN sent to RemotePeerIP, src port 1942, dst port 10000
10 14:39:30.796 09/23/09 Sev=Info/6 IPSEC/0x6370001C
TCP SYN-ACK received from RemotePeerIP, src port 10000, dst port 1942
11 14:39:30.796 09/23/09 Sev=Info/6 IPSEC/0x63700021
TCP ACK sent to RemotePeerIP, src port 1942, dst port 10000
12 14:39:30.796 09/23/09 Sev=Warning/3 IPSEC/0xA370001C
Bad cTCP trailer, Rsvd 26984, Magic# 63697672h, trailer len 101, MajorVer 13, MinorVer 10
13 14:39:30.796 09/23/09 Sev=Info/4 CM/0x63100029
TCP connection established on port 10000 with server "RemotePeerIP"
14 14:39:31.296 09/23/09 Sev=Info/4 CM/0x63100024
Attempt connection with server "RemotePeerIP"
15 14:39:31.296 09/23/09 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with RemotePeerIP.
16 14:39:31.296 09/23/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Unity)) to RemotePeerIP
17 14:39:36.296 09/23/09 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
18 14:39:36.296 09/23/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to RemotePeerIP
19 14:39:41.296 09/23/09 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
20 14:39:41.296 09/23/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to RemotePeerIP
21 14:39:46.296 09/23/09 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
22 14:39:46.296 09/23/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to RemotePeerIP
23 14:39:51.328 09/23/09 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=AEFC3FFF0405BBD6 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
24 14:39:51.828 09/23/09 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=AEFC3FFF0405BBD6 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
25 14:39:51.828 09/23/09 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "RemotePeerIP" because of "DEL_REASON_PEER_NOT_RESPONDING"
26 14:39:51.828 09/23/09 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
27 14:39:51.828 09/23/09 Sev=Info/4 CM/0x6310002D
Resetting TCP connection on port 10000
28 14:39:51.828 09/23/09 Sev=Info/6 CM/0x63100030
Removed local TCP port 1942 for TCP connection.
29 14:39:51.828 09/23/09 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
30 14:39:51.828 09/23/09 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
31 14:39:52.328 09/23/09 Sev=Info/6 IPSEC/0x63700023
TCP RST sent to RemotePeerIP, src port 1942, dst port 10000
32 14:39:52.328 09/23/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
33 14:39:52.328 09/23/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
34 14:39:52.328 09/23/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
35 14:39:52.328 09/23/09 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
Thank you for any help you can provide.
Best Answer
I know this isn't much about explaining why, but I and (IT Helpdesk of the company) have found 4.x version much better what comes to Cisco VPN disconnections (especially if you use F-Secure firewall). So we always recommend people to change to older version. If someone knows the real reason why and how to configure the firewall with 5.x version, would like to hear the solution.