Security Basics mailing list archives
RE: frequent vpn tunnel drops
From: "Kathmann, Nicholas" <Nicholas.Kathmann () KaiserAl com>
Date: Tue, 9 Mar 2004 15:49:50 -0600
Ensure that the subnets you are trying to route through the VPN tunnel are all in the network lists associated with that group. I'm not too sure of how you would handle that with the Watchdog. For the drops you can enable keepalives. Once the tunnel goes down it should drop the SA and renegotiate. Thanks, Nick -----Original Message----- From: new bie kapper [mailto:securekaps () yahoo com] Sent: Tuesday, March 09, 2004 12:29 AM To: Rosenhan, David; security-basics () securityfocus com Subject: RE: frequent vpn tunnel drops hi all , Attached is the log of the concentrator ,sometimes it gives "recieved unencrpted packet when crypto active ,othertimes it gives duplicate first packet detected. The log observed for the watchguard is also attached. Thanks --- "Rosenhan, David" <David.Rosenhan () swiftbrands com> wrote:
I see this is a debug from an initial connection, I am assuming this debug is from the concentrator, and after the first part of it you see a "duplicate first packet detected" error. This error means the client is resending packets to the concentrator, but for some reason the ACK packets that the concentrator sends out are not being received by the client. This could be because UDP port 500 is being blocked from the concentrator to the internet, or ESP is being blocked. I would suggest turning on transparent tunneling using UDP port 4500, this is called NAT-T in the concentrator. This can be done in the concentrator under this menu: Configuration | System | Tunneling Protocols | IPSec | NAT Transparency. If this is not an option then you have the option above NAT-T that will allow your client to establish a tunnel over any TCP port you configure in that same menu, the same port will need to be manually configured on the client. There is one other option in the group configuration that allows the client to connect over different UDP ports, this can be configured under this menu: Configuration | User Management | Groups, choose the group the user is connecting to, click the "client config" tab and the third and fourth option is where you can configure this. If this does not work then send the debugs from the client side and we can look at them. Thanks!! David Rosenhan, CCNP Information Technology -----Original Message----- From: new bie kapper [mailto:securekaps () yahoo com] Sent: Friday, February 27, 2004 7:21 AM To: security-basics () securityfocus com Subject: frequent vpn tunnel drops hi all, i am just stuck with this big problem and hav no clue whatz going on!!i am into security monitoring of a client and we have a VPN Tunnel through our VPN CONCENTRATOR 3000 SERIES to their watchguard firebox.The tunnel stays up for anything from 1 minute to 2 days up and then goes down!! Everything worked fine before 3 weeks ,but since then its been frequent tunnel drops.i have logged the error messages i get on my vpn concentrator to see if anybody can help me with this. Could there be a routing policy issue at their end..which i doubt since it was working before!!and since the tunnel comes up for variable times!!could be a ipsec fragmentation issue!!??just wondering!! thanks..below is the log 58518 02/27/2004 07:42:08.380 SEV=5 IKE/35 RPT=2455 65.68.11.49 Group [65.68.11.49] Received remote IP Proxy Subnet data in ID Payload: Address 10.40.1.0, Mask 255.255.255.0, Protocol 0, Port 0 58521 02/27/2004 07:42:08.380 SEV=5 IKE/34 RPT=2458 65.68.11.49 Group [65.68.11.49] Received local IP Proxy Subnet data in ID Payload: Address 172.16.2.0, Mask 255.255.255.0, Protocol 0, Port 0 58524 02/27/2004 07:42:08.380 SEV=5 IKE/66 RPT=7250 65.68.11.49 Group [65.68.11.49] IKE Remote Peer configured for SA: L2L: CommercialBank 58525 02/27/2004 07:42:08.380 SEV=5 IKE/75 RPT=6857 65.68.11.49 Group [65.68.11.49] Overriding Initiator's IPSec rekeying duration from 86400 to 28800 seconds 58527 02/27/2004 07:42:28.570 SEV=4 IKEDBG/0 RPT=3072 QM FSM error (P2 struct &0x330a17c, mess id 0xc0a6e099)! 58528 02/27/2004 07:42:28.570 SEV=4 IKEDBG/65 RPT=9942 65.68.11.49 Group [65.68.11.49] IKE QM Responder FSM error history (struct &0x330a17c) <state>, <event>: QM_DONE, EV_ERROR QM_WAIT_MSG3, EV_RESEND_MSG QM_WAIT_MSG3, NullEvent QM_SND_MSG2, EV_SND_MSG 58533 02/27/2004 07:42:38.380 SEV=4 AUTH/23 RPT=876 65.68.11.49 User 65.68.11.49 disconnected: duration: 0:56:18 58534 02/27/2004 07:42:38.600 SEV=4 IKE/41 RPT=8619 65.68.11.49 IKE Initiator: New Phase 1, Intf 2, IKE Peer 65.68.11.49 local Proxy Address 172.16.2.0, remote Proxy Address 10.40.1.0, SA (L2L: CommercialBank) 58537 02/27/2004 07:43:10.600 SEV=4 IKEDBG/65 RPT=9943 65.68.11.49 IKE MM Initiator FSM error history (struct &0x3a2a554) <state>, <event>: MM_DONE, EV_ERROR MM_WAIT_MSG2, EV_RETRY MM_WAIT_MSG2, EV_TIMEOUT MM_WAIT_MSG2, NullEvent 58541 02/27/2004 07:43:12.420 SEV=4 IKE/41 RPT=8620 65.68.11.49 IKE Initiator: New Phase 1, Intf 2, IKE Peer 65.68.11.49 local Proxy Address 172.16.2.0, remote Proxy Address 10.40.1.0, SA (L2L: CommercialBank) 58544 02/27/2004 07:43:43.540 SEV=4 IKE/0 RPT=8192 65.68.11.49 Duplicate first packet detected! 58545 02/27/2004 07:43:44.420 SEV=4 IKEDBG/65 RPT=9944 65.68.11.49 IKE MM Initiator FSM error history (struct &0x373ffc4) <state>, <event>: MM_DONE, EV_ERROR MM_WAIT_MSG2, EV_RETRY MM_WAIT_MSG2, EV_TIMEOUT MM_WAIT_MSG2, NullEvent 58549 02/27/2004 07:43:53.550 SEV=4 IKE/0 RPT=8193 65.68.11.49 Duplicate first packet detected! 58550 02/27/2004 07:44:03.560 SEV=4 IKE/0 RPT=8194 65.68.11.49 Duplicate first packet detected! 58551 02/27/2004 07:44:05.640 SEV=4 IKEDBG/65 RPT=9945 65.68.11.49 IKE MM Responder FSM error history (struct &0x37806c8) <state>, <event>: MM_DONE, EV_ERROR MM_WAIT_MSG3, EV_TIMEOUT MM_WAIT_MSG3, NullEvent MM_SND_MSG2, EV_SND_MSG 58555 02/27/2004 07:44:07.530 SEV=4 IKE/41 RPT=8621 65.68.11.49 IKE Initiator: New Phase 1, Intf 2, IKE Peer 65.68.11.49 local Proxy Address 172.16.2.0, remote Proxy Address 10.40.1.0, SA (L2L: CommercialBank) 58558 02/27/2004 07:44:23.580 SEV=4 IKE/0 RPT=8195 65.68.11.49 Duplicate first packet detected! 58559 02/27/2004 07:44:39.530 SEV=4 IKEDBG/65 RPT=9946 65.68.11.49 IKE MM Initiator FSM error history (struct &0x3932278)
=== message truncated === __________________________________ Do you Yahoo!? Yahoo! Search - Find what you're looking for faster http://search.yahoo.com --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- RE: frequent vpn tunnel drops Rosenhan, David (Mar 01)
- RE: frequent vpn tunnel drops new bie kapper (Mar 09)
- <Possible follow-ups>
- RE: frequent vpn tunnel drops Kathmann, Nicholas (Mar 09)
- RE: frequent vpn tunnel drops new bie kapper (Mar 12)