Cisco Router to VPN 3000 Tunnel Terminates Every 10 minutes or so. HELP!

Discussion in 'Cisco' started by Rick B., Jan 9, 2004.

  1. Rick B.

    Rick B. Guest

    I control the 3000 and am fairly certain the config is fine, it's
    working fine for 14 other L2L connections. The site I'm having a
    problem with is using a Cisco router (I have no access to this
    device). The problem is once the tunnel is established it only stays
    up for 5-10 minutes then drops and reconnects. The following is a
    debug they sent me from their router...Any help would be gratly
    appreciated!!!

    855: idbtype 0, encaps_size 84, header size 36, avail 84
    854: 21:30:39: IPSEC(encapsulate): encaps area too small, moving to
    new buffer:
    853: idbtype 0, encaps_size 84, header size 36, avail 84
    852: 21:30:39: IPSEC(encapsulate): encaps area too small, moving to
    new buffer:
    851: idbtype 0, encaps_size 84, header size 36, avail 84
    850: 21:30:39: IPSEC(encapsulate): encaps area too small, moving to
    new buffer:
    711: remote_proxy= 10.23.0.0/255.255.0.0/0/0 (type=4)
    710: local_proxy= 10.2.136.0/255.255.248.0/0/0 (type=4),
    709: (identity) local= 205.56.69.20, remote= 144.15.83.49,
    708: sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2001,
    707: sa_spi= 0x6888C602(1753794050),
    706: (sa) sa_dest= 144.15.83.49, sa_prot= 50,
    705: 21:27:49: IPSEC(add_sa): peer asks for new SAs -- expire current
    in 120 sec.,
    704: sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2005
    703: sa_spi= 0x651BB953(1696315731),
    702: (sa) sa_dest= 144.15.83.49, sa_prot= 50,
    701: 21:27:49: IPSEC(create_sa): sa created,
    700: sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2004
    699: sa_spi= 0x2CA6AD26(749120806),
    698: (sa) sa_dest= 205.56.69.20, sa_prot= 50,
    697: 21:27:49: IPSEC(create_sa): sa created,
    696: spi= 0x651BB953(1696315731), conn_id= 2005, keysize= 0,
    flags= 0x4
    695: lifedur= 28800s and 0kb,
    694: protocol= ESP, transform= esp-3des esp-md5-hmac ,
    693: dest_proxy= 10.23.0.0/255.255.0.0/0/0 (type=4),
    692: src_proxy= 10.2.136.0/255.255.248.0/0/0 (type=4),
    691: src= 205.56.69.20, dest= 144.15.83.49,
    690: (key eng. msg.)
    689: 21:27:49: IPSEC(initialize_sas): ,
    688: spi= 0x2CA6AD26(749120806), conn_id= 2004, keysize= 0, flags=
    0x4
    687: lifedur= 28800s and 0kb,
    686: protocol= ESP, transform= esp-3des esp-md5-hmac ,
    685: src_proxy= 10.23.0.0/255.255.0.0/0/0 (type=4),
    684: dest_proxy= 10.2.136.0/255.255.248.0/0/0 (type=4),
    683: (key eng. msg.) dest= 205.56.69.20, src= 144.15.83.49,
    682: 21:27:49: IPSEC(initialize_sas): ,
    681: 21:27:49: IPSEC(key_engine): got a queue event...
    680: 21:27:49: ISAKMP (0:40): deleting node 460806576 error FALSE
    reason "quick mode done (await()"
    679: 21:27:49: lifetime of 28800 seconds
    678: 21:27:49: has spi 1696315731 and conn_id 2005 and flags 4
    677: 21:27:49: outbound SA from 205.56.69.20 to 144.15.83.49
    (proxy 10.2.136.0 to 10.23.0.0 )
    676: 21:27:49: lifetime of 28800 seconds
    675: 21:27:49: has spi 0x2CA6AD26 and conn_id 2004 and flags 4
    674: (proxy 10.23.0.0 to 10.2.136.0)
    673: 21:27:49: inbound SA from 144.15.83.49 to 205.56.69.20
    672: 21:27:49: ISAKMP (0:40): Creating IPSec SAs
    671: 21:27:49: ISAKMP (0:40): received packet from 144.15.83.49 (R)
    QM_IDLE
    670: 21:27:48: ISAKMP (0:40): sending packet to 144.15.83.49 (R)
    QM_IDLE
    669: 21:27:48: ISAKMP: received ke message (2/1)
    "668: from 144.15.83.49 to 205.56.69.20 for prot 3"
    667: 21:27:48: IPSEC(spi_response): getting spi 749120806 for SA
    666: 21:27:48: IPSEC(key_engine): got a queue event...
    665: 21:27:48: ISAKMP (0:40): asking for 1 spis from ipsec
    664: 21:27:48: ISAKMP (40): ID_IPV4_ADDR_SUBNET dst
    10.2.136.0/255.255.248.0 prot 0 port 0
    663: 21:27:48: ISAKMP (0:40): processing ID payload. message ID =
    460806576
    662: 21:27:48: ISAKMP (40): ID_IPV4_ADDR_SUBNET src
    10.23.0.0/255.255.0.0 prot 0 port 0
    661: 21:27:48: ISAKMP (0:40): processing ID payload. message ID =
    460806576
    660: 21:27:48: ISAKMP (0:40): processing NONCE payload. message ID =
    460806576
    659: spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
    658: lifedur= 0s and 0kb,
    657: protocol= ESP, transform= esp-3des esp-md5-hmac ,
    656: src_proxy= 10.23.0.0/255.255.0.0/0/0 (type=4),
    655: dest_proxy= 10.2.136.0/255.255.248.0/0/0 (type=4),
    654: (key eng. msg.) dest= 205.56.69.20, src= 144.15.83.49,


    This is the VPN 3000 Log...

    8378 01/09/2004 05:41:02.870 SEV=4 IKEDBG/0 RPT=242
    QM FSM error (P2 struct &0x760a008, mess id 0xe4c31cb5)!

    8379 01/09/2004 05:41:02.870 SEV=4 IKEDBG/65 RPT=242 205.56.69.20
    Group [205.56.69.20]
    IKE QM Responder FSM error history (struct &0x760a008)
    <state>, <event>:
    QM_DONE, EV_ERROR
    QM_BLD_MSG2, EV_NEGO_SA
    QM_BLD_MSG2, EV_IS_REKEY
    QM_BLD_MSG2, EV_CONFIRM_SA

    8384 01/09/2004 05:41:12.870 SEV=5 IKE/25 RPT=212 205.56.69.20
    Group [205.56.69.20]
    Received remote Proxy Host data in ID Payload:
    Address 205.56.69.20, Protocol 0, Port 0

    8387 01/09/2004 05:41:12.870 SEV=5 IKE/34 RPT=257 205.56.69.20
    Group [205.56.69.20]
    Received local IP Proxy Subnet data in ID Payload:
    Address 10.23.0.0, Mask 255.255.0.0, Protocol 0, Port 0

    8390 01/09/2004 05:41:12.870 SEV=4 IKE/61 RPT=212 205.56.69.20
    Group [205.56.69.20]
    Tunnel rejected: Policy not found for Src:205.56.69.20, Dst:
    10.23.0.0!

    8392 01/09/2004 05:41:12.870 SEV=4 IKEDBG/0 RPT=243
    QM FSM error (P2 struct &0x760a674, mess id 0xba8919cf)!
     
    Rick B., Jan 9, 2004
    #1
    1. Advertising

  2. In comp.dcom.vpn Rick B. <> wrote:

    > 8390 01/09/2004 05:41:12.870 SEV=4 IKE/61 RPT=212 205.56.69.20
    > Group [205.56.69.20]
    > Tunnel rejected: Policy not found for Src:205.56.69.20, Dst:
    > 10.23.0.0!


    It's not "disconnecting every 10 minutes", rather it never finishes phase 2.

    Check that the Local Network on the vpn3k side matches this subnet definition
    (which is the network behind the 3k, right?)

    Configuration | System | Tunneling Protocols | IPSec | LAN-to-LAN -> Modify

    either pick a Network List you've pre-defined, or use
    IP Address: 10.23.0.0
    Wildcard Mask: 0.0.255.255

    --
    Eric Sorenson - Systems / Network Administrator, MIS - Transmeta Corporation
     
    Eric Sorenson, Jan 15, 2004
    #2
    1. Advertising

  3. Rick B.

    Rick B. Guest

    Eric,

    The strange thing is, that network is specified in the network list
    for that tunnel...and every other tunnel (VPN Local) list. The tunnel
    actually passes traffic for around 10 minutes then disconnects, get
    more of those errors, then reconnects and passes traffic again.

    Thanks for your reply.

    Rick
     
    Rick B., Jan 15, 2004
    #3
  4. In comp.dcom.vpn Rick B. <> wrote:
    > The strange thing is, that network is specified in the network list
    > for that tunnel...and every other tunnel (VPN Local) list. The tunnel
    > actually passes traffic for around 10 minutes then disconnects, get
    > more of those errors, then reconnects and passes traffic again.


    Yes that is indeed strange. From the vpn3k log snippet you posted, it
    never establishes phase2 SAs, so no traffic can flow through the tunnel.
    Maybe someone else can help decode the IOS log.

    --
    Eric Sorenson - Systems / Network Administrator, MIS - Transmeta Corporation
     
    Eric Sorenson, Jan 16, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Warren Turner
    Replies:
    0
    Views:
    2,181
    Warren Turner
    Jan 9, 2004
  2. Patrick Cervicek

    Router delays every 2 minutes

    Patrick Cervicek, May 14, 2006, in forum: Cisco
    Replies:
    11
    Views:
    1,687
    Patrick Cervicek
    May 16, 2006
  3. Replies:
    3
    Views:
    2,539
  4. Replies:
    0
    Views:
    990
  5. PradeepR
    Replies:
    4
    Views:
    527
    Dan Evans
    Aug 31, 2006
Loading...

Share This Page