Firewall Wizards mailing list archives
Re: Cisco VPN reconnection every 23 minutes
From: Prabhu Gurumurthy <pgurumu () gmail com>
Date: Fri, 01 Jun 2007 11:57:46 -0700
On IPSec negotiation, the rekey is based on lifetime or bytes. when negotiation takes place, the lowest value is always used. So it does not matter if one is higher than the other, the negotiation does not have to agree on the lifetime/byte values. Are you running IPSec VPN with udp encapsulation? I have seen problems with them, because some SOHO firewalls like netgear etc, treat them as UDP connections and closes the state after a predetermined amount of time. The way that you can see is if you run tcpdump/ethereal you will see heck a lot of UDP packets going between the client and the VPN concentrator. If that is the case, two ways to fix it: 1. Disable SPI on the SOHO router/firewall (very bad, not recommended) 2. Disable UDP encapsulation and enable ESP to flow, i.e you will see protocol 50 for the IP header, instead of protocol 17, all newer routers/firewalls allow them through. Can you forward crypto config from the Cisco VPN concentrator? Hope this helps. Prabhu - Paul Murphy wrote:
Have you checked your rekey duration on both sides? It looks like one peer
has a considerably shorter rekey value.
Thanks,
Paul Murphy
ditribar () gmx de
Sent by:
firewall-wizards- To
bounces@listserv. firewall-wizards () honor icsalabs com
icsalabs.com cc
Subject
05/31/2007 12:24 [fw-wiz] Cisco VPN reconnection
PM every 23 minutes
Please respond to
Firewall Wizards
Security Mailing
List
<firewall-wizards
@listserv.icsalab
s.com>
can anybody help me to solve the following problem?
A VPN Tunnel is established and working so far, but the connection gets
reconnected about every 23 minutes.
Here are some logs whats happening on PEER1 (AAA.BBB.CCC.DDD) (CISCO
ASA 5500):
Peer connect
2007-05-31T17:30:08+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713041: IP =
REMOTE_PEER_IP, IKE Initiator: New Phase 1, Intf inside, IKE Peer
REMOTE_PEER_IP local Proxy Address LOCAL_PROXY_IP, remote Proxy Address
REMOTE_LAN_IP, Crypto map (outside_map)
2007-05-31T17:30:10+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-713903:
Group = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Freeing previously allocated
memory for authorization-dn-attributes
2007-05-31T17:30:10+0100 AAA.BBB.CCC.DDD err local4 %ASA-3-713119: Group =
REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 1 COMPLETED
2007-05-31T17:30:11+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713073: Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Responder forcing change of IPSec
rekeying duration from 28800 to 3600 seconds
2007-05-31T17:30:11+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713049: Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Security negotiation complete for
LAN-to-LAN Group (REMOTE_PEER_IP) Initiator, Inbound SPI = 0x8d72d873,
Outbound SPI = 0xee7d09b6
2007-05-31T17:30:11+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713120: Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 2 COMPLETED (msgid=2a2a6615)
Peer disconnect again
2007-05-31T17:53:46+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713050: Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Connection terminated for peer
REMOTE_PEER_IP. Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A
2007-05-31T17:53:46+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-113019:
Group = REMOTE_PEER_IP, Username = REMOTE_PEER_IP, IP = REMOTE_PEER_IP,
Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:23m:36s,
Bytes xmt: 6572, Bytes rcv: 7772, Reason: User Requested
2007-05-31T17:53:58+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713041: IP =
REMOTE_PEER_IP, IKE Initiator: New Phase 1, Intf inside, IKE Peer
REMOTE_PEER_IP local Proxy Address LOCAL_PROXY_IP, remote Proxy Address
REMOTE_LAN_IP, Crypto map (outside_map)
2007-05-31T17:54:00+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-713903:
Group = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Freeing previously allocated
memory for authorization-dn-attributes
2007-05-31T17:54:00+0100 AAA.BBB.CCC.DDD err local4 %ASA-3-713119: Group =
REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 1 COMPLETED
2007-05-31T17:54:01+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713073: Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Responder forcing change of IPSec
rekeying duration from 28800 to 3600 seconds
2007-05-31T17:54:01+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713049: Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Security negotiation complete for
LAN-to-LAN Group (REMOTE_PEER_IP) Initiator, Inbound SPI = 0x695fe990,
Outbound SPI = 0x792e9c57
2007-05-31T17:54:01+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713120: Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 2 COMPLETED (msgid=b6a126bc)
Manual disconnect
2007-05-31T18:00:32+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-113019:
Group = REMOTE_PEER_IP, Username = REMOTE_PEER_IP, IP = REMOTE_PEER_IP,
Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:06m:31s,
Bytes xmt: 0, Bytes rcv: 0, Reason: Administrator Reset
2007-05-31T18:00:32+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713050: Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Connection terminated for peer
REMOTE_PEER_IP. Reason: Administrator Reset Remote Proxy REMOTE_LAN_IP,
Local Proxy LOCAL_PROXY_IP
2007-05-31T18:00:39+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713041: IP =
REMOTE_PEER_IP, IKE Initiator: New Phase 1, Intf inside, IKE Peer
REMOTE_PEER_IP local Proxy Address LOCAL_PROXY_IP, remote Proxy Address
REMOTE_LAN_IP, Crypto map (outside_map)
2007-05-31T18:00:40+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-713903:
Group = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Freeing previously allocated
memory for authorization-dn-attributes
2007-05-31T18:00:40+0100 AAA.BBB.CCC.DDD err local4 %ASA-3-713119: Group =
REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 1 COMPLETED
2007-05-31T18:00:41+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713073: Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Responder forcing change of IPSec
rekeying duration from 28800 to 3600 seconds
2007-05-31T18:00:41+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713049: Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Security negotiation complete for
LAN-to-LAN Group (REMOTE_PEER_IP) Initiator, Inbound SPI = 0x6bccacec,
Outbound SPI = 0x7a216c5f
2007-05-31T18:00:41+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713120: Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 2 COMPLETED (msgid=fe0bd283)
Peer disconnect again
2007-05-31T18:24:12+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713050: Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Connection terminated for peer
REMOTE_PEER_IP. Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A
2007-05-31T18:24:12+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-113019:
Group = REMOTE_PEER_IP, Username = REMOTE_PEER_IP, IP = REMOTE_PEER_IP,
Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:23m:32s,
Bytes xmt: 6104, Bytes rcv: 6616, Reason: User Requested
2007-05-31T18:25:52+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713041: IP =
REMOTE_PEER_IP, IKE Initiator: New Phase 1, Intf inside, IKE Peer
REMOTE_PEER_IP local Proxy Address LOCAL_PROXY_IP, remote Proxy Address
REMOTE_LAN_IP, Crypto map (outside_map)
2007-05-31T18:25:54+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-713903:
Group = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Freeing previously allocated
memory for authorization-dn-attributes
2007-05-31T18:25:54+0100 AAA.BBB.CCC.DDD err local4 %ASA-3-713119: Group =
REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 1 COMPLETED
2007-05-31T18:25:55+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713073: Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Responder forcing change of IPSec
rekeying duration from 28800 to 3600 seconds
2007-05-31T18:25:55+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713049: Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Security negotiation complete for
LAN-to-LAN Group (REMOTE_PEER_IP) Initiator, Inbound SPI = 0xba41c143,
Outbound SPI = 0xb16e5642
2007-05-31T18:25:55+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713120: Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 2 COMPLETED (msgid=c825a866)
..... disconnect occurs about every 23 minutes
Any ideas?
Kind regards
ditribar
--
Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten
Browser-Versionen downloaden: http://www.gmx.net/de/go/browser
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Cisco VPN reconnection every 23 minutes ditribar (Jun 01)
- <Possible follow-ups>
- Re: Cisco VPN reconnection every 23 minutes Prabhu Gurumurthy (Jun 01)
- Re: Cisco VPN reconnection every 23 minutes ditribar (Jun 02)
- Re: Cisco VPN reconnection every 23 minutes Prabhu Gurumurthy (Jun 06)
- Re: Cisco VPN reconnection every 23 minutes Andrew Bell (Jun 10)
- Re: Cisco VPN reconnection every 23 minutes ditribar (Jun 02)