RE: frequent vpn tunnel drops

["Rosenhan, David" <David.Rosenhan () swiftbrands com>]

I see this is a debug from an initial connection, I am assuming this
debug is from the concentrator, and after the first part of it you see a
"duplicate first packet detected" error.  This error means the client is
resending packets to the concentrator, but for some reason the ACK
packets that the concentrator sends out are not being received by the
client.  This could be because UDP port 500 is being blocked from the
concentrator to the internet, or ESP is being blocked.  

I would suggest turning on transparent tunneling using UDP port 4500,
this is called NAT-T in the concentrator.  This can be done in the
concentrator under this menu: Configuration | System | Tunneling
Protocols | IPSec | NAT Transparency.  If this is not an option then you
have the option above NAT-T that will allow your client to establish a
tunnel over any TCP port you configure in that same menu, the same port
will need to be manually configured on the client. 

There is one other option in the group configuration that allows the
client to connect over different UDP ports, this can be configured under
this menu:
Configuration | User Management | Groups, choose the group the user is
connecting to, click the "client config" tab and the third and fourth
option is where you can configure this.

If this does not work then send the debugs from the client side and we
can look at them.

Thanks!!

David Rosenhan, CCNP
Information Technology


-----Original Message-----
From: new bie kapper [mailto:securekaps () yahoo com] 
Sent: Friday, February 27, 2004 7:21 AM
To: security-basics () securityfocus com
Subject: frequent vpn tunnel drops

hi all,
i am just stuck with this big problem and hav no clue
whatz going on!!i am into security monitoring of a
client and we have a VPN Tunnel through our VPN
CONCENTRATOR 3000 SERIES to their watchguard
firebox.The tunnel stays up for anything from 1 minute
to 2 days up and then goes down!!
Everything worked fine before 3 weeks ,but since then
its been frequent tunnel drops.i have logged the error
messages i get on my vpn concentrator to see if
anybody can help me with this.
Could there be a routing policy issue at their
end..which i doubt since it was working before!!and
since the tunnel comes up for variable times!!could be
a ipsec fragmentation issue!!??just wondering!!
thanks..below is the log
58518 02/27/2004 07:42:08.380 SEV=5 IKE/35 RPT=2455
65.68.11.49
Group [65.68.11.49]
Received remote IP Proxy Subnet data in ID Payload:
Address 10.40.1.0, Mask 255.255.255.0, Protocol 0,
Port 0

58521 02/27/2004 07:42:08.380 SEV=5 IKE/34 RPT=2458
65.68.11.49
Group [65.68.11.49]
Received local IP Proxy Subnet data in ID Payload:
Address 172.16.2.0, Mask 255.255.255.0, Protocol 0,
Port 0

58524 02/27/2004 07:42:08.380 SEV=5 IKE/66 RPT=7250
65.68.11.49
Group [65.68.11.49]
IKE Remote Peer configured for SA: L2L: CommercialBank

58525 02/27/2004 07:42:08.380 SEV=5 IKE/75 RPT=6857
65.68.11.49
Group [65.68.11.49]
Overriding Initiator's IPSec rekeying duration from
86400 to 28800 seconds

58527 02/27/2004 07:42:28.570 SEV=4 IKEDBG/0 RPT=3072
QM FSM error (P2 struct &0x330a17c, mess id
0xc0a6e099)!

58528 02/27/2004 07:42:28.570 SEV=4 IKEDBG/65 RPT=9942
65.68.11.49
Group [65.68.11.49]
IKE QM Responder FSM error history (struct &0x330a17c)
<state>, <event>:
QM_DONE, EV_ERROR
QM_WAIT_MSG3, EV_RESEND_MSG
QM_WAIT_MSG3, NullEvent
QM_SND_MSG2, EV_SND_MSG

58533 02/27/2004 07:42:38.380 SEV=4 AUTH/23 RPT=876
65.68.11.49
User 65.68.11.49 disconnected: duration: 0:56:18

58534 02/27/2004 07:42:38.600 SEV=4 IKE/41 RPT=8619
65.68.11.49
IKE Initiator: New Phase 1, Intf 2, IKE Peer
65.68.11.49
local Proxy Address 172.16.2.0, remote Proxy Address
10.40.1.0,
SA (L2L: CommercialBank)

58537 02/27/2004 07:43:10.600 SEV=4 IKEDBG/65 RPT=9943
65.68.11.49
IKE MM Initiator FSM error history (struct &0x3a2a554)
<state>, <event>:
MM_DONE, EV_ERROR
MM_WAIT_MSG2, EV_RETRY
MM_WAIT_MSG2, EV_TIMEOUT
MM_WAIT_MSG2, NullEvent

58541 02/27/2004 07:43:12.420 SEV=4 IKE/41 RPT=8620
65.68.11.49
IKE Initiator: New Phase 1, Intf 2, IKE Peer
65.68.11.49
local Proxy Address 172.16.2.0, remote Proxy Address
10.40.1.0,
SA (L2L: CommercialBank)

58544 02/27/2004 07:43:43.540 SEV=4 IKE/0 RPT=8192
65.68.11.49
Duplicate first packet detected!

58545 02/27/2004 07:43:44.420 SEV=4 IKEDBG/65 RPT=9944
65.68.11.49
IKE MM Initiator FSM error history (struct &0x373ffc4)
<state>, <event>:
MM_DONE, EV_ERROR
MM_WAIT_MSG2, EV_RETRY
MM_WAIT_MSG2, EV_TIMEOUT
MM_WAIT_MSG2, NullEvent

58549 02/27/2004 07:43:53.550 SEV=4 IKE/0 RPT=8193
65.68.11.49
Duplicate first packet detected!

58550 02/27/2004 07:44:03.560 SEV=4 IKE/0 RPT=8194
65.68.11.49
Duplicate first packet detected!

58551 02/27/2004 07:44:05.640 SEV=4 IKEDBG/65 RPT=9945
65.68.11.49
IKE MM Responder FSM error history (struct &0x37806c8)
<state>, <event>:
MM_DONE, EV_ERROR
MM_WAIT_MSG3, EV_TIMEOUT
MM_WAIT_MSG3, NullEvent
MM_SND_MSG2, EV_SND_MSG

58555 02/27/2004 07:44:07.530 SEV=4 IKE/41 RPT=8621
65.68.11.49
IKE Initiator: New Phase 1, Intf 2, IKE Peer
65.68.11.49
local Proxy Address 172.16.2.0, remote Proxy Address
10.40.1.0,
SA (L2L: CommercialBank)

58558 02/27/2004 07:44:23.580 SEV=4 IKE/0 RPT=8195
65.68.11.49
Duplicate first packet detected!

58559 02/27/2004 07:44:39.530 SEV=4 IKEDBG/65 RPT=9946
65.68.11.49
IKE MM Initiator FSM error history (struct &0x3932278)
<state>, <event>:
MM_DONE, EV_ERROR
MM_WAIT_MSG2, EV_RETRY
MM_WAIT_MSG2, EV_TIMEOUT
MM_WAIT_MSG2, NullEvent

58563 02/27/2004 07:44:45.670 SEV=4 IKEDBG/65 RPT=9947
65.68.11.49
IKE MM Responder FSM error history (struct &0x374df5c)
<state>, <event>:
MM_DONE, EV_ERROR
MM_WAIT_MSG3, EV_TIMEOUT
MM_WAIT_MSG3, NullEvent
MM_SND_MSG2, EV_SND_MSG

58567 02/27/2004 07:44:47.610 SEV=4 IKE/41 RPT=8622
65.68.11.49
IKE Initiator: New Phase 1, Intf 2, IKE Peer
65.68.11.49
local Proxy Address 172.16.2.0, remote Proxy Address
10.40.1.0,
SA (L2L: CommercialBank)

58570 02/27/2004 07:45:08.800 SEV=4 IKE/0 RPT=8196
65.68.11.49
Duplicate first packet detected!

58571 02/27/2004 07:45:19.040 SEV=4 IKE/0 RPT=8197
65.68.11.49
Duplicate first packet detected!

58572 02/27/2004 07:45:19.610 SEV=4 IKEDBG/65 RPT=9948
65.68.11.49
IKE MM Initiator FSM error history (struct &0x3738ff8)
<state>, <event>:
MM_DONE, EV_ERROR
MM_WAIT_MSG2, EV_RETRY
MM_WAIT_MSG2, EV_TIMEOUT
MM_WAIT_MSG2, NullEvent

58576 02/27/2004 07:45:29.270 SEV=4 IKE/0 RPT=8198
65.68.11.49
Duplicate first packet detected!

58577 02/27/2004 07:45:30.800 SEV=4 IKEDBG/65 RPT=9949
65.68.11.49
IKE MM Responder FSM error history (struct &0x38035f0)
<state>, <event>:
MM_DONE, EV_ERROR
MM_WAIT_MSG3, EV_TIMEOUT
MM_WAIT_MSG3, NullEvent
MM_SND_MSG2, EV_SND_MSG

58581 02/27/2004 07:45:32.710 SEV=4 IKE/41 RPT=8623
65.68.11.49
IKE Initiator: New Phase 1, Intf 2, IKE Peer
65.68.11.49
local Proxy Address 172.16.2.0, remote Proxy Address
10.40.1.0,
SA (L2L: CommercialBank)

58584 02/27/2004 07:45:49.740 SEV=4 IKE/0 RPT=8199
65.68.11.49
Duplicate first packet detected!

58585 02/27/2004 07:45:55.220 SEV=5 IKE/25 RPT=5967
65.64.127.66
Group [65.64.127.66]
Received remote Proxy Host data in ID Payload:
Address 192.168.254.14, Protocol 0, Port 0

-

__________________________________
Do you Yahoo!?
Get better spam protection with Yahoo! Mail.
http://antispam.yahoo.com/tools

------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_security-basics_040301
----------------------------------------------------------------------------