Firewall Wizards mailing list archives
Re: Cisco VPN reconnection every 23 minutes
From: Prabhu Gurumurthy <pgurumu () gmail com>
Date: Mon, 04 Jun 2007 10:34:47 -0700
Okay - I was under the impression that it was a Cisco VPN client connection to the VPN concentrator, which is my bad, apologies. tunnel-group REMOTE_PEER_IP type ipsec-l2l tunnel-group REMOTE_PEER_IP general-attributes default-group-policy vpn-unlimited tunnel-group REMOTE_PEER_IP ipsec-attributes pre-shared-key * I was told by Cisco when using 7.0 version that to refrain using names for tunnel-group and use IP address instead. I vaguely remember seeing problems like you mentioned, but YMMV. Can you change those to IP addresses instead of names and let me know how it goes? I dont know what version you are using, I am using 7.2 and use IP address for tunnel group properties and it works fine for me. Are you using l2tp? I want to confirm that because your VPN global policy seems to say that Out of curiosity, can you just use plain old IPSec Lan to Lan tunnel instead of l2tp! Prabhu - ditribar wrote:
On IPSec negotiation, the rekey is based on lifetime or bytes. when negotiation takes place, the lowest value is always used. So it does not matter if one is higher than the other, the negotiation does not have to agree on the lifetime/byte values.Correct , i just adjusted the lifetime value on PEER1 to the value on PEER2. What i still dont understand is there are two different reasons for a disconnection: 1) Peer Terminate 2) User Requested Which peer and what user is this? The only thing i found is that User Requested is sometimes a reason for a connection lost. Or does it means PPER2 initiated the disconnect?Are you running IPSec VPN with udp encapsulation?ipsec-udp disable (see config below) No i dont (UDP diabled). It uses TCP.I have seen problems with them, because some SOHO firewalls like netgear etc, treat them as UDP connections and closes the state after a predetermined amount of time. The way that you can see is if you run tcpdump/ethereal you will see heck a lot of UDP packets going between the client and the VPN concentrator. If that is the case, two ways to fix it: 1. Disable SPI on the SOHO router/firewall (very bad, not recommended) 2. Disable UDP encapsulation and enable ESP to flow, i.e you will see protocol 50 for the IP header, instead of protocol 17, all newer routers/firewalls allow them through.What i see is that the client on PEER1 is trying to send a TCP Retransmission packet after the tunnel got disconnected.Can you forward crypto config from the Cisco VPN concentrator?===== Crypto map ===== crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto map outside_map 61 match address outside_61_cryptomap crypto map outside_map 61 set pfs crypto map outside_map 61 set peer REMOTE_PEER_IP crypto map outside_map 61 set transform-set ESP-3DES-MD5 crypto map outside_map 61 set security-association lifetime seconds 3600 crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 50 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 tunnel-group REMOTE_PEER_IP type ipsec-l2l tunnel-group REMOTE_PEER_IP general-attributes default-group-policy vpn-unlimited tunnel-group REMOTE_PEER_IP ipsec-attributes pre-shared-key * ====== Group Policy ===== group-policy vpn-unlimited attributes vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout none vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec l2tp-ipsec password-storage disable ip-comp disable re-xauth disable group-lock value REMOTE_PEER_IP pfs disable ipsec-udp disable intercept-dhcp 255.255.255.255 disable secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout none ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable nac disable nac-sq-period 300 nac-reval-period 36000 nac-default-acl none client-firewall none client-access-rule none webvpn functions none html-content-filter none homepage none keep-alive-ignore 4 http-comp gzip filter none url-list none customization none port-forward none port-forward-name value Application Access sso-server none deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information. svc none svc keep-installer installed svc keepalive none svc rekey time none svc rekey method none svc dpd-interval client 60 svc dpd-interval gateway 60 svc compression deflate vpn-nac-exempt none show crypto ipsec sa interface: outside Crypto map tag: outside_map, seq num: 61, local addr: LOCAL_PEER1_IP access-list outside_61_cryptomap permit ip LOCAL_LAN_NET_IP LOCAL_LAN_NET_MASK host REMOTE_LAN_IP local ident (addr/mask/prot/port): (LOCAL_LAN_NET_IP/LOCAL_LAN_NET_MASK/0/0) remote ident (addr/mask/prot/port): (REMOTE_LAN_IP/255.255.255.255/0/0) current_peer: REMOTE_PEER_IP #pkts encaps: 20, #pkts encrypt: 20, #pkts digest: 20 #pkts decaps: 19, #pkts decrypt: 19, #pkts verify: 19 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 20, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: LOCAL_PEER1_IP, remote crypto endpt.: REMOTE_PEER_IP path mtu 1500, ipsec overhead 58, media mtu 1500 current outbound spi: A2E47E62 inbound esp sas: spi: 0x8A930C7F (2324892799) transform: esp-3des esp-md5-hmac none in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 4433, crypto-map: outside_map sa timing: remaining key lifetime (kB/sec): (3824999/3341) IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0xA2E47E62 (2732883554) transform: esp-3des esp-md5-hmac none in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 4433, crypto-map: outside_map sa timing: remaining key lifetime (kB/sec): (3824998/3341) IV size: 8 bytes replay detection support: Y On all INTERFACEs it is fragmentation INTERFACE before-encryption show crypto isakmp sa Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: REMOTE_PEER_IP Type : L2L Role : initiator Rekey : no State : MM_ACTIVE show crypto isakmp ipsec-over-tcp stats Global IPSec over TCP Statistics -------------------------------- Embryonic connections: 0 Active connections: 0 Previous connections: 0 Inbound packets: 0 Inbound dropped packets: 0 Outbound packets: 0 Outbound dropped packets: 0 RST packets: 0 Recevied ACK heart-beat packets: 0 Bad headers: 0 Bad trailers: 0 Timer failures: 0 Checksum errors: 0 Internal errors: 0 show crypto protocol statistics all [IKEv1 statistics] Encrypt packet requests: 120048 Encapsulate packet requests: 120048 Decrypt packet requests: 117999 Decapsulate packet requests: 117999 HMAC calculation requests: 146409 SA creation requests: 1686 SA rekey requests: 22 SA deletion requests: 4891 Next phase key allocation requests: 6092 Random number generation requests: 0 Failed requests: 0 [IKEv2 statistics] Encrypt packet requests: 0 Encapsulate packet requests: 0 Decrypt packet requests: 0 Decapsulate packet requests: 0 HMAC calculation requests: 0 SA creation requests: 0 SA rekey requests: 0 SA deletion requests: 0 Next phase key allocation requests: 0 Random number generation requests: 0 Failed requests: 0 [IPsec statistics] Encrypt packet requests: 127490 Encapsulate packet requests: 127490 Decrypt packet requests: 119951 Decapsulate packet requests: 119951 HMAC calculation requests: 247441 SA creation requests: 6062 SA rekey requests: 30 SA deletion requests: 6482 Next phase key allocation requests: 0 Random number generation requests: 0 Failed requests: 0 [SSL statistics] Encrypt packet requests: 398182 Encapsulate packet requests: 398182 Decrypt packet requests: 4875 Decapsulate packet requests: 4875 HMAC calculation requests: 403057 SA creation requests: 3967 SA rekey requests: 0 SA deletion requests: 3967 Next phase key allocation requests: 0 Random number generation requests: 0 Failed requests: 0 [SSH statistics are not supported] [SRTP statistics are not supported] [Other statistics] Encrypt packet requests: 0 Encapsulate packet requests: 0 Decrypt packet requests: 0 Decapsulate packet requests: 0 HMAC calculation requests: 16362 SA creation requests: 0 SA rekey requests: 0 SA deletion requests: 0 Next phase key allocation requests: 0 Random number generation requests: 30568 Failed requests: 0 show crypto accelerator statistics Crypto Accelerator Status ------------------------- [Capability] Supports hardware crypto: True Supports modular hardware crypto: False Max accelerators: 1 Max crypto throughput: 50 Mbps Max crypto connections: 250 [Global Statistics] Number of active accelerators: 1 Number of non-operational accelerators: 0 Input packets: 124682 Input bytes: 18397412 Output packets: 525537 Output error packets: 0 Output bytes: 143599804 [Accelerator 0] Status: OK Software crypto engine Slot: 0 Active time: 14256241 seconds Total crypto transforms: 55911 Total dropped packets: 0 [Input statistics] Input packets: 0 Input bytes: 83248 Input hashed packets: 0 Input hashed bytes: 0 Decrypted packets: 0 Decrypted bytes: 83248 [Output statistics] Output packets: 0 Output bad packets: 0 Output bytes: 597288 Output hashed packets: 0 Output hashed bytes: 0 Encrypted packets: 0 Encrypted bytes: 597496 [Diffie-Hellman statistics] Keys generated: 0 Secret keys derived: 0 [RSA statistics] Keys generated: 15 Signatures: 14 Verifications: 0 Encrypted packets: 0 Encrypted bytes: 0 Decrypted packets: 0 Decrypted bytes: 0 [DSA statistics] Keys generated: 0 Signatures: 0 Verifications: 0 [SSL statistics] Outbound records: 0 Inbound records: 0 [RNG statistics] Random number requests: 97 Random number request failures: 0 [Accelerator 1] Status: OK Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x 0) Boot microcode : CNlite-MC-Boot-Cisco-1.2 SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03 IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04 Slot: 1 Active time: 14256255 seconds Total crypto transforms: 1307288 Total dropped packets: 0 [Input statistics] Input packets: 124683 Input bytes: 18314428 Input hashed packets: 119809 Input hashed bytes: 9333356 Decrypted packets: 124684 Decrypted bytes: 14084580 [Output statistics] Output packets: 525539 Output bad packets: 0 Output bytes: 143003844 Output hashed packets: 127357 Output hashed bytes: 13210864 Encrypted packets: 525539 Encrypted bytes: 136827532 [Diffie-Hellman statistics] Keys generated: 3281 Secret keys derived: 2832 [RSA statistics] Keys generated: 0 Signatures: 0 Verifications: 0 Encrypted packets: 0 Encrypted bytes: 0 Decrypted packets: 0 Decrypted bytes: 0 [DSA statistics] Keys generated: 0 Signatures: 0 Verifications: 0 [SSL statistics] Outbound records: 398182 Inbound records: 4875 [RNG statistics] Random number requests: 30465 Random number request failures: 0Hope this helps. Prabhu - Paul Murphy wrote:Have you checked your rekey duration on both sides? It looks like onepeerhas a considerably shorter rekey value. Thanks, Paul Murphyditribar () gmx deSent by:firewall-wizards-Tobounces@listserv.firewall-wizards () honor icsalabs comicsalabs.comccSubject05/31/2007 12:24 [fw-wiz] Cisco VPN reconnectionPM every 23 minutesPlease respond toFirewall WizardsSecurity MailingList<firewall-wizards@listserv.icsalabs.com>can anybody help me to solve the following problem? A VPN Tunnel is established and working so far, but the connectiongetsreconnected about every 23 minutes. Here are some logs whats happening on PEER1 (AAA.BBB.CCC.DDD) (CISCO ASA 5500): Peer connect 2007-05-31T17:30:08+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713041: IP=REMOTE_PEER_IP, IKE Initiator: New Phase 1, Intf inside, IKE Peer REMOTE_PEER_IP local Proxy Address LOCAL_PROXY_IP, remote Proxy Address REMOTE_LAN_IP, Crypto map (outside_map) 2007-05-31T17:30:10+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-713903: Group = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Freeing previouslyallocatedmemory for authorization-dn-attributes 2007-05-31T17:30:10+0100 AAA.BBB.CCC.DDD err local4 %ASA-3-713119: Group=REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 1 COMPLETED 2007-05-31T17:30:11+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713073:Group= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Responder forcing change of IPSec rekeying duration from 28800 to 3600 seconds 2007-05-31T17:30:11+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713049:Group= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Security negotiation complete for LAN-to-LAN Group (REMOTE_PEER_IP) Initiator, Inbound SPI = 0x8d72d873, Outbound SPI = 0xee7d09b6 2007-05-31T17:30:11+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713120:Group= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 2 COMPLETED(msgid=2a2a6615)Peer disconnect again 2007-05-31T17:53:46+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713050:Group= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Connection terminated for peer REMOTE_PEER_IP. Reason: Peer Terminate Remote Proxy N/A, Local ProxyN/A2007-05-31T17:53:46+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-113019: Group = REMOTE_PEER_IP, Username = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:23m:36s, Bytes xmt: 6572, Bytes rcv: 7772, Reason: User Requested 2007-05-31T17:53:58+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713041: IP=REMOTE_PEER_IP, IKE Initiator: New Phase 1, Intf inside, IKE Peer REMOTE_PEER_IP local Proxy Address LOCAL_PROXY_IP, remote Proxy Address REMOTE_LAN_IP, Crypto map (outside_map) 2007-05-31T17:54:00+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-713903: Group = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Freeing previouslyallocatedmemory for authorization-dn-attributes 2007-05-31T17:54:00+0100 AAA.BBB.CCC.DDD err local4 %ASA-3-713119: Group=REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 1 COMPLETED 2007-05-31T17:54:01+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713073:Group= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Responder forcing change of IPSec rekeying duration from 28800 to 3600 seconds 2007-05-31T17:54:01+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713049:Group= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Security negotiation complete for LAN-to-LAN Group (REMOTE_PEER_IP) Initiator, Inbound SPI = 0x695fe990, Outbound SPI = 0x792e9c57 2007-05-31T17:54:01+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713120:Group= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 2 COMPLETED(msgid=b6a126bc)Manual disconnect 2007-05-31T18:00:32+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-113019: Group = REMOTE_PEER_IP, Username = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:06m:31s, Bytes xmt: 0, Bytes rcv: 0, Reason: Administrator Reset 2007-05-31T18:00:32+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713050:Group= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Connection terminated for peer REMOTE_PEER_IP. Reason: Administrator Reset Remote ProxyREMOTE_LAN_IP,Local Proxy LOCAL_PROXY_IP 2007-05-31T18:00:39+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713041: IP=REMOTE_PEER_IP, IKE Initiator: New Phase 1, Intf inside, IKE Peer REMOTE_PEER_IP local Proxy Address LOCAL_PROXY_IP, remote Proxy Address REMOTE_LAN_IP, Crypto map (outside_map) 2007-05-31T18:00:40+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-713903: Group = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Freeing previouslyallocatedmemory for authorization-dn-attributes 2007-05-31T18:00:40+0100 AAA.BBB.CCC.DDD err local4 %ASA-3-713119: Group=REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 1 COMPLETED 2007-05-31T18:00:41+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713073:Group= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Responder forcing change of IPSec rekeying duration from 28800 to 3600 seconds 2007-05-31T18:00:41+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713049:Group= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Security negotiation complete for LAN-to-LAN Group (REMOTE_PEER_IP) Initiator, Inbound SPI = 0x6bccacec, Outbound SPI = 0x7a216c5f 2007-05-31T18:00:41+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713120:Group= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 2 COMPLETED(msgid=fe0bd283)Peer disconnect again 2007-05-31T18:24:12+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713050:Group= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Connection terminated for peer REMOTE_PEER_IP. Reason: Peer Terminate Remote Proxy N/A, Local ProxyN/A2007-05-31T18:24:12+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-113019: Group = REMOTE_PEER_IP, Username = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:23m:32s, Bytes xmt: 6104, Bytes rcv: 6616, Reason: User Requested 2007-05-31T18:25:52+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713041: IP=REMOTE_PEER_IP, IKE Initiator: New Phase 1, Intf inside, IKE Peer REMOTE_PEER_IP local Proxy Address LOCAL_PROXY_IP, remote Proxy Address REMOTE_LAN_IP, Crypto map (outside_map) 2007-05-31T18:25:54+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-713903: Group = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Freeing previouslyallocatedmemory for authorization-dn-attributes 2007-05-31T18:25:54+0100 AAA.BBB.CCC.DDD err local4 %ASA-3-713119: Group=REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 1 COMPLETED 2007-05-31T18:25:55+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713073:Group= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Responder forcing change of IPSec rekeying duration from 28800 to 3600 seconds 2007-05-31T18:25:55+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713049:Group= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Security negotiation complete for LAN-to-LAN Group (REMOTE_PEER_IP) Initiator, Inbound SPI = 0xba41c143, Outbound SPI = 0xb16e5642 2007-05-31T18:25:55+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713120:Group= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 2 COMPLETED(msgid=c825a866)..... disconnect occurs about every 23 minutes Any ideas? Kind regards ditribar -- Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten Browser-Versionen downloaden: http://www.gmx.net/de/go/browser _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Cisco VPN reconnection every 23 minutes ditribar (Jun 01)
- <Possible follow-ups>
- Re: Cisco VPN reconnection every 23 minutes Prabhu Gurumurthy (Jun 01)
- Re: Cisco VPN reconnection every 23 minutes ditribar (Jun 02)
- Re: Cisco VPN reconnection every 23 minutes Prabhu Gurumurthy (Jun 06)
- Re: Cisco VPN reconnection every 23 minutes Andrew Bell (Jun 10)
- Re: Cisco VPN reconnection every 23 minutes ditribar (Jun 02)