Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco Router to VPN 3000 Tunnel Terminates Every 10 minutes or so. HELP!

Reply
Thread Tools

Cisco Router to VPN 3000 Tunnel Terminates Every 10 minutes or so. HELP!

 
 
Rick B.
Guest
Posts: n/a
 
      01-09-2004
I control the 3000 and am fairly certain the config is fine, it's
working fine for 14 other L2L connections. The site I'm having a
problem with is using a Cisco router (I have no access to this
device). The problem is once the tunnel is established it only stays
up for 5-10 minutes then drops and reconnects. The following is a
debug they sent me from their router...Any help would be gratly
appreciated!!!

855: idbtype 0, encaps_size 84, header size 36, avail 84
854: 21:30:39: IPSEC(encapsulate): encaps area too small, moving to
new buffer:
853: idbtype 0, encaps_size 84, header size 36, avail 84
852: 21:30:39: IPSEC(encapsulate): encaps area too small, moving to
new buffer:
851: idbtype 0, encaps_size 84, header size 36, avail 84
850: 21:30:39: IPSEC(encapsulate): encaps area too small, moving to
new buffer:
711: remote_proxy= 10.23.0.0/255.255.0.0/0/0 (type=4)
710: local_proxy= 10.2.136.0/255.255.248.0/0/0 (type=4),
709: (identity) local= 205.56.69.20, remote= 144.15.83.49,
708: sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2001,
707: sa_spi= 0x6888C602(1753794050),
706: (sa) sa_dest= 144.15.83.49, sa_prot= 50,
705: 21:27:49: IPSEC(add_sa): peer asks for new SAs -- expire current
in 120 sec.,
704: sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2005
703: sa_spi= 0x651BB953(1696315731),
702: (sa) sa_dest= 144.15.83.49, sa_prot= 50,
701: 21:27:49: IPSEC(create_sa): sa created,
700: sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2004
699: sa_spi= 0x2CA6AD26(749120806),
698: (sa) sa_dest= 205.56.69.20, sa_prot= 50,
697: 21:27:49: IPSEC(create_sa): sa created,
696: spi= 0x651BB953(1696315731), conn_id= 2005, keysize= 0,
flags= 0x4
695: lifedur= 28800s and 0kb,
694: protocol= ESP, transform= esp-3des esp-md5-hmac ,
693: dest_proxy= 10.23.0.0/255.255.0.0/0/0 (type=4),
692: src_proxy= 10.2.136.0/255.255.248.0/0/0 (type=4),
691: src= 205.56.69.20, dest= 144.15.83.49,
690: (key eng. msg.)
689: 21:27:49: IPSEC(initialize_sas): ,
688: spi= 0x2CA6AD26(749120806), conn_id= 2004, keysize= 0, flags=
0x4
687: lifedur= 28800s and 0kb,
686: protocol= ESP, transform= esp-3des esp-md5-hmac ,
685: src_proxy= 10.23.0.0/255.255.0.0/0/0 (type=4),
684: dest_proxy= 10.2.136.0/255.255.248.0/0/0 (type=4),
683: (key eng. msg.) dest= 205.56.69.20, src= 144.15.83.49,
682: 21:27:49: IPSEC(initialize_sas): ,
681: 21:27:49: IPSEC(key_engine): got a queue event...
680: 21:27:49: ISAKMP (0:40): deleting node 460806576 error FALSE
reason "quick mode done (await()"
679: 21:27:49: lifetime of 28800 seconds
678: 21:27:49: has spi 1696315731 and conn_id 2005 and flags 4
677: 21:27:49: outbound SA from 205.56.69.20 to 144.15.83.49
(proxy 10.2.136.0 to 10.23.0.0 )
676: 21:27:49: lifetime of 28800 seconds
675: 21:27:49: has spi 0x2CA6AD26 and conn_id 2004 and flags 4
674: (proxy 10.23.0.0 to 10.2.136.0)
673: 21:27:49: inbound SA from 144.15.83.49 to 205.56.69.20
672: 21:27:49: ISAKMP (0:40): Creating IPSec SAs
671: 21:27:49: ISAKMP (0:40): received packet from 144.15.83.49 (R)
QM_IDLE
670: 21:27:48: ISAKMP (0:40): sending packet to 144.15.83.49 (R)
QM_IDLE
669: 21:27:48: ISAKMP: received ke message (2/1)
"668: from 144.15.83.49 to 205.56.69.20 for prot 3"
667: 21:27:48: IPSEC(spi_response): getting spi 749120806 for SA
666: 21:27:48: IPSEC(key_engine): got a queue event...
665: 21:27:48: ISAKMP (0:40): asking for 1 spis from ipsec
664: 21:27:48: ISAKMP (40): ID_IPV4_ADDR_SUBNET dst
10.2.136.0/255.255.248.0 prot 0 port 0
663: 21:27:48: ISAKMP (0:40): processing ID payload. message ID =
460806576
662: 21:27:48: ISAKMP (40): ID_IPV4_ADDR_SUBNET src
10.23.0.0/255.255.0.0 prot 0 port 0
661: 21:27:48: ISAKMP (0:40): processing ID payload. message ID =
460806576
660: 21:27:48: ISAKMP (0:40): processing NONCE payload. message ID =
460806576
659: spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
658: lifedur= 0s and 0kb,
657: protocol= ESP, transform= esp-3des esp-md5-hmac ,
656: src_proxy= 10.23.0.0/255.255.0.0/0/0 (type=4),
655: dest_proxy= 10.2.136.0/255.255.248.0/0/0 (type=4),
654: (key eng. msg.) dest= 205.56.69.20, src= 144.15.83.49,


This is the VPN 3000 Log...

8378 01/09/2004 05:41:02.870 SEV=4 IKEDBG/0 RPT=242
QM FSM error (P2 struct &0x760a008, mess id 0xe4c31cb5)!

8379 01/09/2004 05:41:02.870 SEV=4 IKEDBG/65 RPT=242 205.56.69.20
Group [205.56.69.20]
IKE QM Responder FSM error history (struct &0x760a00
<state>, <event>:
QM_DONE, EV_ERROR
QM_BLD_MSG2, EV_NEGO_SA
QM_BLD_MSG2, EV_IS_REKEY
QM_BLD_MSG2, EV_CONFIRM_SA

8384 01/09/2004 05:41:12.870 SEV=5 IKE/25 RPT=212 205.56.69.20
Group [205.56.69.20]
Received remote Proxy Host data in ID Payload:
Address 205.56.69.20, Protocol 0, Port 0

8387 01/09/2004 05:41:12.870 SEV=5 IKE/34 RPT=257 205.56.69.20
Group [205.56.69.20]
Received local IP Proxy Subnet data in ID Payload:
Address 10.23.0.0, Mask 255.255.0.0, Protocol 0, Port 0

8390 01/09/2004 05:41:12.870 SEV=4 IKE/61 RPT=212 205.56.69.20
Group [205.56.69.20]
Tunnel rejected: Policy not found for Src:205.56.69.20, Dst:
10.23.0.0!

8392 01/09/2004 05:41:12.870 SEV=4 IKEDBG/0 RPT=243
QM FSM error (P2 struct &0x760a674, mess id 0xba8919cf)!
 
Reply With Quote
 
 
 
 
Eric Sorenson
Guest
Posts: n/a
 
      01-15-2004
In comp.dcom.vpn Rick B. <(E-Mail Removed)> wrote:

> 8390 01/09/2004 05:41:12.870 SEV=4 IKE/61 RPT=212 205.56.69.20
> Group [205.56.69.20]
> Tunnel rejected: Policy not found for Src:205.56.69.20, Dst:
> 10.23.0.0!


It's not "disconnecting every 10 minutes", rather it never finishes phase 2.

Check that the Local Network on the vpn3k side matches this subnet definition
(which is the network behind the 3k, right?)

Configuration | System | Tunneling Protocols | IPSec | LAN-to-LAN -> Modify

either pick a Network List you've pre-defined, or use
IP Address: 10.23.0.0
Wildcard Mask: 0.0.255.255

--
Eric Sorenson - Systems / Network Administrator, MIS - Transmeta Corporation
 
Reply With Quote
 
 
 
 
Rick B.
Guest
Posts: n/a
 
      01-15-2004
Eric,

The strange thing is, that network is specified in the network list
for that tunnel...and every other tunnel (VPN Local) list. The tunnel
actually passes traffic for around 10 minutes then disconnects, get
more of those errors, then reconnects and passes traffic again.

Thanks for your reply.

Rick
 
Reply With Quote
 
Eric Sorenson
Guest
Posts: n/a
 
      01-16-2004
In comp.dcom.vpn Rick B. <(E-Mail Removed)> wrote:
> The strange thing is, that network is specified in the network list
> for that tunnel...and every other tunnel (VPN Local) list. The tunnel
> actually passes traffic for around 10 minutes then disconnects, get
> more of those errors, then reconnects and passes traffic again.


Yes that is indeed strange. From the vpn3k log snippet you posted, it
never establishes phase2 SAs, so no traffic can flow through the tunnel.
Maybe someone else can help decode the IOS log.

--
Eric Sorenson - Systems / Network Administrator, MIS - Transmeta Corporation
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Broadband connection terminates after around 5-10 minutes PradeepR Computer Support 4 08-31-2006 06:03 AM
Site to site VPn tunnel and VPN tunnel Trouble Cisco 1 08-04-2006 08:09 AM
Site to site VPn tunnel and VPN tunnel Trouble Cisco 0 08-04-2006 04:23 AM
Re: Cisco VPN Client: Idle timeout every few minutes--pls help rabint@gmail.com Cisco 0 07-17-2006 05:32 PM
Split Tunnel Blocks http through tunnel but passes http around tunnel a.nonny mouse Cisco 2 09-19-2004 12:10 AM



Advertisments