Pix VPN packet numbers out of sequence

[Silene]

Remote users using the VPN client 3.5 experience unexpected disconnection from time to time. When this happens they can reconnect but cant seem to be able to connect to any internal server.
Checking the Pix 520 in debug the problem would appear to be the following:
ISAMKP (0): DPD: received seq_no 256740580 != expected seq_no 256740575
return status is IKMP_NO_ERR_NO_TRANS
This continues to appear if the remote user disconnects and then reconnects, and doesn't seem to right itself until the connection has fully timed out at the PIX end.
Is there anything I can do to
1) Stop this problem from happening in the first place, or
2) Reset the sequence numbers in some way to minimise the problem when it does happen.

Thanks

 

[yizhar]

HI.

What kind of network connection to ISP is in use at each side?

Try to lower the MTU on the client machine. Did it help?

Ask the clients to check ping response time and reliability when everything is OK and whenever there is a probelm.
Ask them to ping the pix outside interface, but if you're blocking it then ask them to pix perimeter router.
What are the results?

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[8dstaicu]

The messages that you talk about are Dead Peer Detection. As you can see, the dpd that you have received have bigger sn then the one that pix requested. So, it is a ugly problem with the clients. I would suggest a newer version of vpn client software. It looks like a bug. Or a conflict with other software, if the problem ocured on more than 1 pc.