CVPN3000 Tunnel Renegotiation Problems

[Tim Aaberg <tim () aaberg com>]

We have an IPSec Lan-to-Lan tunnel configured between a VPN1 and 
CVPN3015 that will drop once or twice a week.  When it drops it seems to 
 be unable to complete phase 1 negotiation for a new tunnel for long 
periods of time, although it tries constantly.

Here's what we're seeing in the CVPN log:

Apr 18 06:43:13 CVPN3015 7611550 04/18/2006 06:45:01.510 SEV=8 IKEDBG/84 
RPT=3969 10.54.41.59  Group [10.54.41.59] QM IsRekeyed sa already being 
rekeyed

Apr 18 06:43:13 CVPN3015 7611551 04/18/2006 06:45:01.510 SEV=4 IKEDBG/97 
RPT=5020 10.54.41.59  Group [10.54.41.59] QM FSM error (P2 struct 
&0x77d717c, mess id 0xcbd52404)!

Apr 18 06:43:13 CVPN3015 7611554 04/18/2006 06:45:01.510 SEV=7 IKEDBG/65 
RPT=5075 10.54.41.59  Group [10.54.41.59] IKE QM Responder FSM error 
history (struct &0x77d717c) <state>, <event>: QM_DONE, EV_ERROR 
QM_BLD_MSG2, EV_IS_REKEY QM_BLD_MSG2, EV_CONFIRM_SA QM_BLD_MSG2, EV_PROC_MSG

Apr 18 06:43:13 CVPN3015 7611557 04/18/2006 06:45:01.510 SEV=9 IKEDBG/0 
RPT=859163  sending delete/delete with reason message

When we look up IKEDBG/84 on the Cisco support site we get "This Debug 
event is for Cisco Engineering purposes only."  IKEDBG/97 returns "This 
event indicates an error has occurred within the phase 2 state machine."

We've requested logging data from the far end but won't have it for 
another day or so.

Anyone have an idea what's wrong here?

Thanks,
Tim

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards