Security Basics mailing list archives
RE: frequent vpn tunnel drops
From: "Rosenhan, David" <David.Rosenhan () swiftbrands com>
Date: Mon, 1 Mar 2004 08:59:15 -0700
I see this is a debug from an initial connection, I am assuming this debug is from the concentrator, and after the first part of it you see a "duplicate first packet detected" error. This error means the client is resending packets to the concentrator, but for some reason the ACK packets that the concentrator sends out are not being received by the client. This could be because UDP port 500 is being blocked from the concentrator to the internet, or ESP is being blocked. I would suggest turning on transparent tunneling using UDP port 4500, this is called NAT-T in the concentrator. This can be done in the concentrator under this menu: Configuration | System | Tunneling Protocols | IPSec | NAT Transparency. If this is not an option then you have the option above NAT-T that will allow your client to establish a tunnel over any TCP port you configure in that same menu, the same port will need to be manually configured on the client. There is one other option in the group configuration that allows the client to connect over different UDP ports, this can be configured under this menu: Configuration | User Management | Groups, choose the group the user is connecting to, click the "client config" tab and the third and fourth option is where you can configure this. If this does not work then send the debugs from the client side and we can look at them. Thanks!! David Rosenhan, CCNP Information Technology -----Original Message----- From: new bie kapper [mailto:securekaps () yahoo com] Sent: Friday, February 27, 2004 7:21 AM To: security-basics () securityfocus com Subject: frequent vpn tunnel drops hi all, i am just stuck with this big problem and hav no clue whatz going on!!i am into security monitoring of a client and we have a VPN Tunnel through our VPN CONCENTRATOR 3000 SERIES to their watchguard firebox.The tunnel stays up for anything from 1 minute to 2 days up and then goes down!! Everything worked fine before 3 weeks ,but since then its been frequent tunnel drops.i have logged the error messages i get on my vpn concentrator to see if anybody can help me with this. Could there be a routing policy issue at their end..which i doubt since it was working before!!and since the tunnel comes up for variable times!!could be a ipsec fragmentation issue!!??just wondering!! thanks..below is the log 58518 02/27/2004 07:42:08.380 SEV=5 IKE/35 RPT=2455 65.68.11.49 Group [65.68.11.49] Received remote IP Proxy Subnet data in ID Payload: Address 10.40.1.0, Mask 255.255.255.0, Protocol 0, Port 0 58521 02/27/2004 07:42:08.380 SEV=5 IKE/34 RPT=2458 65.68.11.49 Group [65.68.11.49] Received local IP Proxy Subnet data in ID Payload: Address 172.16.2.0, Mask 255.255.255.0, Protocol 0, Port 0 58524 02/27/2004 07:42:08.380 SEV=5 IKE/66 RPT=7250 65.68.11.49 Group [65.68.11.49] IKE Remote Peer configured for SA: L2L: CommercialBank 58525 02/27/2004 07:42:08.380 SEV=5 IKE/75 RPT=6857 65.68.11.49 Group [65.68.11.49] Overriding Initiator's IPSec rekeying duration from 86400 to 28800 seconds 58527 02/27/2004 07:42:28.570 SEV=4 IKEDBG/0 RPT=3072 QM FSM error (P2 struct &0x330a17c, mess id 0xc0a6e099)! 58528 02/27/2004 07:42:28.570 SEV=4 IKEDBG/65 RPT=9942 65.68.11.49 Group [65.68.11.49] IKE QM Responder FSM error history (struct &0x330a17c) <state>, <event>: QM_DONE, EV_ERROR QM_WAIT_MSG3, EV_RESEND_MSG QM_WAIT_MSG3, NullEvent QM_SND_MSG2, EV_SND_MSG 58533 02/27/2004 07:42:38.380 SEV=4 AUTH/23 RPT=876 65.68.11.49 User 65.68.11.49 disconnected: duration: 0:56:18 58534 02/27/2004 07:42:38.600 SEV=4 IKE/41 RPT=8619 65.68.11.49 IKE Initiator: New Phase 1, Intf 2, IKE Peer 65.68.11.49 local Proxy Address 172.16.2.0, remote Proxy Address 10.40.1.0, SA (L2L: CommercialBank) 58537 02/27/2004 07:43:10.600 SEV=4 IKEDBG/65 RPT=9943 65.68.11.49 IKE MM Initiator FSM error history (struct &0x3a2a554) <state>, <event>: MM_DONE, EV_ERROR MM_WAIT_MSG2, EV_RETRY MM_WAIT_MSG2, EV_TIMEOUT MM_WAIT_MSG2, NullEvent 58541 02/27/2004 07:43:12.420 SEV=4 IKE/41 RPT=8620 65.68.11.49 IKE Initiator: New Phase 1, Intf 2, IKE Peer 65.68.11.49 local Proxy Address 172.16.2.0, remote Proxy Address 10.40.1.0, SA (L2L: CommercialBank) 58544 02/27/2004 07:43:43.540 SEV=4 IKE/0 RPT=8192 65.68.11.49 Duplicate first packet detected! 58545 02/27/2004 07:43:44.420 SEV=4 IKEDBG/65 RPT=9944 65.68.11.49 IKE MM Initiator FSM error history (struct &0x373ffc4) <state>, <event>: MM_DONE, EV_ERROR MM_WAIT_MSG2, EV_RETRY MM_WAIT_MSG2, EV_TIMEOUT MM_WAIT_MSG2, NullEvent 58549 02/27/2004 07:43:53.550 SEV=4 IKE/0 RPT=8193 65.68.11.49 Duplicate first packet detected! 58550 02/27/2004 07:44:03.560 SEV=4 IKE/0 RPT=8194 65.68.11.49 Duplicate first packet detected! 58551 02/27/2004 07:44:05.640 SEV=4 IKEDBG/65 RPT=9945 65.68.11.49 IKE MM Responder FSM error history (struct &0x37806c8) <state>, <event>: MM_DONE, EV_ERROR MM_WAIT_MSG3, EV_TIMEOUT MM_WAIT_MSG3, NullEvent MM_SND_MSG2, EV_SND_MSG 58555 02/27/2004 07:44:07.530 SEV=4 IKE/41 RPT=8621 65.68.11.49 IKE Initiator: New Phase 1, Intf 2, IKE Peer 65.68.11.49 local Proxy Address 172.16.2.0, remote Proxy Address 10.40.1.0, SA (L2L: CommercialBank) 58558 02/27/2004 07:44:23.580 SEV=4 IKE/0 RPT=8195 65.68.11.49 Duplicate first packet detected! 58559 02/27/2004 07:44:39.530 SEV=4 IKEDBG/65 RPT=9946 65.68.11.49 IKE MM Initiator FSM error history (struct &0x3932278) <state>, <event>: MM_DONE, EV_ERROR MM_WAIT_MSG2, EV_RETRY MM_WAIT_MSG2, EV_TIMEOUT MM_WAIT_MSG2, NullEvent 58563 02/27/2004 07:44:45.670 SEV=4 IKEDBG/65 RPT=9947 65.68.11.49 IKE MM Responder FSM error history (struct &0x374df5c) <state>, <event>: MM_DONE, EV_ERROR MM_WAIT_MSG3, EV_TIMEOUT MM_WAIT_MSG3, NullEvent MM_SND_MSG2, EV_SND_MSG 58567 02/27/2004 07:44:47.610 SEV=4 IKE/41 RPT=8622 65.68.11.49 IKE Initiator: New Phase 1, Intf 2, IKE Peer 65.68.11.49 local Proxy Address 172.16.2.0, remote Proxy Address 10.40.1.0, SA (L2L: CommercialBank) 58570 02/27/2004 07:45:08.800 SEV=4 IKE/0 RPT=8196 65.68.11.49 Duplicate first packet detected! 58571 02/27/2004 07:45:19.040 SEV=4 IKE/0 RPT=8197 65.68.11.49 Duplicate first packet detected! 58572 02/27/2004 07:45:19.610 SEV=4 IKEDBG/65 RPT=9948 65.68.11.49 IKE MM Initiator FSM error history (struct &0x3738ff8) <state>, <event>: MM_DONE, EV_ERROR MM_WAIT_MSG2, EV_RETRY MM_WAIT_MSG2, EV_TIMEOUT MM_WAIT_MSG2, NullEvent 58576 02/27/2004 07:45:29.270 SEV=4 IKE/0 RPT=8198 65.68.11.49 Duplicate first packet detected! 58577 02/27/2004 07:45:30.800 SEV=4 IKEDBG/65 RPT=9949 65.68.11.49 IKE MM Responder FSM error history (struct &0x38035f0) <state>, <event>: MM_DONE, EV_ERROR MM_WAIT_MSG3, EV_TIMEOUT MM_WAIT_MSG3, NullEvent MM_SND_MSG2, EV_SND_MSG 58581 02/27/2004 07:45:32.710 SEV=4 IKE/41 RPT=8623 65.68.11.49 IKE Initiator: New Phase 1, Intf 2, IKE Peer 65.68.11.49 local Proxy Address 172.16.2.0, remote Proxy Address 10.40.1.0, SA (L2L: CommercialBank) 58584 02/27/2004 07:45:49.740 SEV=4 IKE/0 RPT=8199 65.68.11.49 Duplicate first packet detected! 58585 02/27/2004 07:45:55.220 SEV=5 IKE/25 RPT=5967 65.64.127.66 Group [65.64.127.66] Received remote Proxy Host data in ID Payload: Address 192.168.254.14, Protocol 0, Port 0 - __________________________________ Do you Yahoo!? Get better spam protection with Yahoo! Mail. http://antispam.yahoo.com/tools ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_security-basics_040301 ----------------------------------------------------------------------------
Current thread:
- RE: frequent vpn tunnel drops Rosenhan, David (Mar 01)
- RE: frequent vpn tunnel drops new bie kapper (Mar 09)
- <Possible follow-ups>
- RE: frequent vpn tunnel drops Kathmann, Nicholas (Mar 09)
- RE: frequent vpn tunnel drops new bie kapper (Mar 12)