On IPSec negotiation, the rekey is based on lifetime or bytes. when negotiation
takes place, the lowest value is always used. So it does not matter if one is
higher than the other, the negotiation does not have to agree on the
lifetime/byte values.
Are you running IPSec VPN with udp encapsulation?
I have seen problems with them, because some SOHO firewalls like netgear etc,
treat them as UDP connections and closes the state after a predetermined amount
of time.
The way that you can see is if you run tcpdump/ethereal you will see heck a lot
of UDP packets going between the client and the VPN concentrator.
If that is the case, two ways to fix it:
1. Disable SPI on the SOHO router/firewall (very bad, not recommended)
2. Disable UDP encapsulation and enable ESP to flow, i.e you will see protocol
50 for the IP header, instead of protocol 17, all newer routers/firewalls allow
them through.
Can you forward crypto config from the Cisco VPN concentrator?
Hope this helps.
Prabhu
-
Paul Murphy wrote:
> Have you checked your rekey duration on both sides? It looks like one peer
> has a considerably shorter rekey value.
>
> Thanks,
>
> Paul Murphy
>
>
>
>
>
> ditribar@gmx.de
> Sent by:
> firewall-wizards- To
> bounces@listserv. firewall-wizards@honor.icsalabs.com
> icsalabs.com cc
>
> Subject
> 05/31/2007 12:24 [fw-wiz] Cisco VPN reconnection
> PM every 23 minutes
>
>
> Please respond to
> Firewall Wizards
> Security Mailing
> List
> <firewall-wizards
> @listserv.icsalab
> s.com>
>
>
>
>
>
>
> can anybody help me to solve the following problem?
>
> A VPN Tunnel is established and working so far, but the connection gets
> reconnected about every 23 minutes.
>
> Here are some logs whats happening on PEER1 (AAA.BBB.CCC.DDD) (CISCO
> ASA 5500):
>
> Peer connect
>
> 2007-05-31T17:30:08+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713041: IP =
> REMOTE_PEER_IP, IKE Initiator: New Phase 1, Intf inside, IKE Peer
> REMOTE_PEER_IP local Proxy Address LOCAL_PROXY_IP, remote Proxy Address
> REMOTE_LAN_IP, Crypto map (outside_map)
> 2007-05-31T17:30:10+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-713903:
> Group = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Freeing previously allocated
> memory for authorization-dn-attributes
> 2007-05-31T17:30:10+0100 AAA.BBB.CCC.DDD err local4 %ASA-3-713119: Group =
> REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 1 COMPLETED
> 2007-05-31T17:30:11+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713073: Group
> = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Responder forcing change of IPSec
> rekeying duration from 28800 to 3600 seconds
> 2007-05-31T17:30:11+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713049: Group
> = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Security negotiation complete for
> LAN-to-LAN Group (REMOTE_PEER_IP) Initiator, Inbound SPI = 0x8d72d873,
> Outbound SPI = 0xee7d09b6
> 2007-05-31T17:30:11+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713120: Group
> = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 2 COMPLETED (msgid=2a2a6615)
>
> Peer disconnect again
>
> 2007-05-31T17:53:46+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713050: Group
> = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Connection terminated for peer
> REMOTE_PEER_IP. Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A
> 2007-05-31T17:53:46+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-113019:
> Group = REMOTE_PEER_IP, Username = REMOTE_PEER_IP, IP = REMOTE_PEER_IP,
> Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:23m:36s,
> Bytes xmt: 6572, Bytes rcv: 7772, Reason: User Requested
> 2007-05-31T17:53:58+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713041: IP =
> REMOTE_PEER_IP, IKE Initiator: New Phase 1, Intf inside, IKE Peer
> REMOTE_PEER_IP local Proxy Address LOCAL_PROXY_IP, remote Proxy Address
> REMOTE_LAN_IP, Crypto map (outside_map)
> 2007-05-31T17:54:00+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-713903:
> Group = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Freeing previously allocated
> memory for authorization-dn-attributes
> 2007-05-31T17:54:00+0100 AAA.BBB.CCC.DDD err local4 %ASA-3-713119: Group =
> REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 1 COMPLETED
> 2007-05-31T17:54:01+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713073: Group
> = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Responder forcing change of IPSec
> rekeying duration from 28800 to 3600 seconds
> 2007-05-31T17:54:01+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713049: Group
> = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Security negotiation complete for
> LAN-to-LAN Group (REMOTE_PEER_IP) Initiator, Inbound SPI = 0x695fe990,
> Outbound SPI = 0x792e9c57
> 2007-05-31T17:54:01+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713120: Group
> = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 2 COMPLETED (msgid=b6a126bc)
>
> Manual disconnect
>
> 2007-05-31T18:00:32+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-113019:
> Group = REMOTE_PEER_IP, Username = REMOTE_PEER_IP, IP = REMOTE_PEER_IP,
> Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:06m:31s,
> Bytes xmt: 0, Bytes rcv: 0, Reason: Administrator Reset
> 2007-05-31T18:00:32+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713050: Group
> = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Connection terminated for peer
> REMOTE_PEER_IP. Reason: Administrator Reset Remote Proxy REMOTE_LAN_IP,
> Local Proxy LOCAL_PROXY_IP
> 2007-05-31T18:00:39+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713041: IP =
> REMOTE_PEER_IP, IKE Initiator: New Phase 1, Intf inside, IKE Peer
> REMOTE_PEER_IP local Proxy Address LOCAL_PROXY_IP, remote Proxy Address
> REMOTE_LAN_IP, Crypto map (outside_map)
> 2007-05-31T18:00:40+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-713903:
> Group = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Freeing previously allocated
> memory for authorization-dn-attributes
> 2007-05-31T18:00:40+0100 AAA.BBB.CCC.DDD err local4 %ASA-3-713119: Group =
> REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 1 COMPLETED
> 2007-05-31T18:00:41+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713073: Group
> = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Responder forcing change of IPSec
> rekeying duration from 28800 to 3600 seconds
> 2007-05-31T18:00:41+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713049: Group
> = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Security negotiation complete for
> LAN-to-LAN Group (REMOTE_PEER_IP) Initiator, Inbound SPI = 0x6bccacec,
> Outbound SPI = 0x7a216c5f
> 2007-05-31T18:00:41+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713120: Group
> = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 2 COMPLETED (msgid=fe0bd283)
>
> Peer disconnect again
>
> 2007-05-31T18:24:12+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713050: Group
> = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Connection terminated for peer
> REMOTE_PEER_IP. Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A
> 2007-05-31T18:24:12+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-113019:
> Group = REMOTE_PEER_IP, Username = REMOTE_PEER_IP, IP = REMOTE_PEER_IP,
> Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:23m:32s,
> Bytes xmt: 6104, Bytes rcv: 6616, Reason: User Requested
> 2007-05-31T18:25:52+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713041: IP =
> REMOTE_PEER_IP, IKE Initiator: New Phase 1, Intf inside, IKE Peer
> REMOTE_PEER_IP local Proxy Address LOCAL_PROXY_IP, remote Proxy Address
> REMOTE_LAN_IP, Crypto map (outside_map)
> 2007-05-31T18:25:54+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-713903:
> Group = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Freeing previously allocated
> memory for authorization-dn-attributes
> 2007-05-31T18:25:54+0100 AAA.BBB.CCC.DDD err local4 %ASA-3-713119: Group =
> REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 1 COMPLETED
> 2007-05-31T18:25:55+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713073: Group
> = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Responder forcing change of IPSec
> rekeying duration from 28800 to 3600 seconds
> 2007-05-31T18:25:55+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713049: Group
> = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Security negotiation complete for
> LAN-to-LAN Group (REMOTE_PEER_IP) Initiator, Inbound SPI = 0xba41c143,
> Outbound SPI = 0xb16e5642
> 2007-05-31T18:25:55+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713120: Group
> = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 2 COMPLETED (msgid=c825a866)
>
> ..... disconnect occurs about every 23 minutes
>
>
> Any ideas?
>
> Kind regards
>
> ditribar
> --
> Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten
> Browser-Versionen downloaden: http://www.gmx.net/de/go/browser
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
|