Site to Site VPN - Malformed packet

Discussion in 'Cisco' started by frankigeno, Nov 7, 2007.

  1. frankigeno

    frankigeno

    Joined:
    Nov 7, 2007
    Messages:
    5
    Likes Received:
    0
    Dear all,

    I am experiencing instability with a site to site VPN.
    I have to specify that at each site, the VPN router is connected behind a zyxel performing 1 to 1 address translation (not SUA).

    site a: Public IP ---Zyxel router ---- Cisco 1700 (IOS 12.3 (19a))

    site b: Public IP ---Zyxel router ---- Cisco 800 (IOS 12.2)

    Although the public interface of both ciscos are configured with a private IP, they are completely reflected to a public IP address outside the Zyxel so no Transversal NAT has been configured.

    I can ping between the two internal networks through the tunnel for the first ten minutes or so then the pings fail even if the VPN is still up.

    statistics from site a:
    show crypto isakmp sa ->> STATE = QM_IDLE
    show crypto ipsec sa ->> Send errors = 3


    Thank you very much for all your help,
    Frankigeno
     
    frankigeno, Nov 7, 2007
    #1
    1. Advertisements

  2. frankigeno

    frankigeno

    Joined:
    Nov 7, 2007
    Messages:
    5
    Likes Received:
    0
    Additional information

    Hi All,

    the following debug is observed before the ipsec traffic is interrupted.

    Thanks again for all the help,
    Frankigeno

    1d02h: CryptoEngine0: generate key pair
    1d02h: CryptoEngine0: CRYPTO_GEN_KEY_PAIR
    1d02h: CRYPTO_ENGINE: key process suspended and continued
    1d02h: CRYPTO_ENGINE: key process suspended and continued
    .
    .
    .
    Many times the same message
    .
    .
    .
    1d02h: CRYPTO_ENGINE: key process suspended and continued
    1d02h: CryptoEngine0: generate hmac context for conn id 1
    1d02h: validate proposal 0
    1d02h: validate proposal request 0
    1d02h: CryptoEngine0: generate hmac context for conn id 1
    1d02h: CryptoEngine0: generate hmac context for conn id 1
    1d02h: ipsec allocate flow 0
    1d02h: ipsec allocate flow 0


    No connection anymore
     
    frankigeno, Nov 8, 2007
    #2
    1. Advertisements

  3. frankigeno

    frankigeno

    Joined:
    Nov 7, 2007
    Messages:
    5
    Likes Received:
    0
    All,

    apparently the problem is due to the IPsec key renegotiation.

    Before the key expires, this is the output from the ipsec SA:

    show crypto ipsec sa | i key
    sa timing: remaining key lifetime (k/sec): (4388681/135)
    sa timing: remaining key lifetime (k/sec): (4493607/135)


    Just 30 seconds before the key expires, new keys are negotiated:

    show crypto ipsec sa | i key
    sa timing: remaining key lifetime (k/sec): (4387677/67)
    sa timing: remaining key lifetime (k/sec): (4406702/3566)
    sa timing: remaining key lifetime (k/sec): (4493569/67)
    sa timing: remaining key lifetime (k/sec): (4406701/3566)


    From this moment on, the traffic between the two sites is interrupted.

    Any idea what this could be due to? Could it be a bad IOS on one of the routers?

    Francesco
     
    frankigeno, Nov 9, 2007
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.