RE: Ezay VPN error

Here the configuration of the ASA where I suspect the cause of that

access-list nat0 extended permit ip 172.16.0.0 255.240.0.0 10.1.1.0
255.255.255.0
access-list nat0 extended permit ip 172.16.0.0 255.240.0.0 10.10.0.0
255.255.0.0
access-list branches-vpn-splitTunnelAcl standard permit 172.16.0.0
255.240.0.0

ip local pool MYPOOL 10.1.1.1-10.1.1.254

nat (inside) 0 access-list nat0

group-policy branches-vpn internal
group-policy branches-vpn attributes
 vpn-session-timeout none
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value branches-vpn-splitTunnelAcl
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout none
 nem enable

username mne-vpn password cisco
username mne-vpn attributes
 vpn-group-policy branches-vpn

crypto ipsec transform-set AAADES esp-des esp-md5-hmac
crypto ipsec df-bit clear-df outside
crypto dynamic-map DYNOMAP 10 set transform-set AAADES
crypto map VPNPEER 20 ipsec-isakmp dynamic DYNOMAP
crypto map VPNPEER interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 3600

tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold 60
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 10
tunnel-group branches-vpn type ipsec-ra
tunnel-group branches-vpn general-attributes
 address-pool MYPOOL
 default-group-policy branches-vpn
tunnel-group branches-vpn ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 10

-----Original Message-----
From: Iwan Hoogendoorn [mailto:iwan_at_ipexpert.com]
Sent: Tuesday, November 10, 2009 12:34 PM
To: CCIE
Cc: ccielab_at_groupstudy.com
Subject: Re: Ezay VPN error

Maybe you can post your config ...
It will be more easy to troubleshoot and the logging message that it
generates after disconnecting?

-- 
Regards,
Iwan Hoogendoorn
CCIE #13084 (R&S / Security / SP)
Sr. Support Engineer - IPexpert, Inc.
URL: http://www.IPexpert.com
On Tue, Nov 10, 2009 at 9:54 AM, CCIE <ccie_at_axizo.com> wrote:
> Hi experts,
>
> I am connecting Cisco 837 as a VPN client to an ASA, after a while of
> operation the client disconnect from the ASA side, then I must do clear
> crypto ipsec sa to reestablish the connect.
>
> Any advice or help about that?
>
> Regards,
>
> Amin
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- 
Regards,
Iwan Hoogendoorn
CCIE #13084 (R&S / Security / SP)
Sr. Support Engineer - IPexpert, Inc.
URL: http://www.IPexpert.com
__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4590 (20091109) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
 
__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4594 (20091111) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
Blogs and organic groups at http://www.ccie.net