The peer die after lifetime is over.

oleg_driga · ‎04-05-2007

Hi, sorry for my poor english.

I have a problem with VPN on Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(3f), RELEASE SOFTWARE (fc3).

VPN is working proberly, but at some time http service from peer network "die".

I see that

1) The ping of web server is OK.

2) I dont think that is df-bit problem becouse:

a) ping -n -s 1490 192.168.202.29

PING 192.168.202.29 (192.168.202.29) 1490(1518) bytes of data.

1498 bytes from 192.168.202.29: icmp_seq=1 ttl=62 time=30.5 ms

1498 bytes from 192.168.202.29: icmp_seq=2 ttl=62 time=31.2 ms

1498 bytes from 192.168.202.29: icmp_seq=3 ttl=62 time=31.7 ms

tcpdump -n host 192.168.202.29

tcpdump: listening on eth0

09:59:53.966392 192.168.0.99 > 192.168.202.29: icmp: echo request (frag 30507:14 80@0+)

09:59:53.966406 192.168.0.99 > 192.168.202.29: icmp (frag 30507:18@1480)

09:59:53.995124 192.168.202.29 > 192.168.0.99: icmp: echo reply (frag 37884:744@ 0+)

b) telnet 192.168.202.29 80 cant connect:

see SYN packets, but no SYN ACK

3) show crypto ipsec sa details -

many #pkts no sa (send) erros on peer

and show there is no active sa:

local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/6/0)

remote ident (addr/mask/prot/port): (192.168.202.29/255.255.255.255/6/80)

current_peer 222.111.111.111 port 500

PERMIT, flags={}

#pkts encaps: 63507, #pkts encrypt: 63507, #pkts digest: 63507

#pkts decaps: 76488, #pkts decrypt: 76488, #pkts verify: 76488

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#pkts no sa (send) 75, #pkts invalid sa (rcv) 0

#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0

#pkts invalid prot (recv) 0, #pkts verify failed: 0

#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0

#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0

##pkts replay failed (rcv): 0

#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 111.111.111.111, remote crypto endpt.: 222.222.222.222

path mtu 1500, ip mtu 1500

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

4) clear crypto sa (or reload) resolve a problem.

5) if any traffic exists in isakmp lifetime (bash telnet 192.168.202.29 90 nightly in crontab every 15 min) - there is no problem with peer.

sundar.palaniappan · ‎04-06-2007

Can you configure the following command and see if it helps;

crypto isakmp keepalive 10 10

HTH

Sundar

oleg_driga · ‎04-06-2007

--crypto isakmp keepalive 10 10

Thank you for unswer!

On both sides?

sundar.palaniappan · ‎04-06-2007

Yes.

oleg_driga · ‎04-07-2007

This not resolve a problem (a peer steel "freez"):

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp key TOP_SECRET address 222.222.222.222 no-xauth

crypto isakmp keepalive 10 10

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

A debuging show that:

debug crypto isakmp

debug crypto ipsec

IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. pak->cryptoflags=0x820

sundar.palaniappan · ‎04-09-2007

I just noticed that you had indicated you can ping but http doesn't work. Hence, IPSEC connectivity isn't is the issue here. I know you had mentioned in your earlier post that it mightn't be a DF bit problem.

Just to rule out it's not a MTU problem can you configure the command 'ip tcp adjust-mss 1400' on the LAN interface on ONE router. If that doesn't help you may have to run crypto debug(s) to troubleshoot the problem.

HTH

Sundar

oleg_driga · ‎04-09-2007

Sundar, thank you for your answer.

>> had indicated you can ping but http doesn't work

Just look for a part of the crypto-map access list:

"...

permit icmp 192.168.0.0 0.0.0.255 host 192.168.202.29 log

permit tcp 192.168.0.0 0.0.0.255 host 192.168.202.29 eq www 443 log

..."

and see that i have 2 peer - 1 for icmp packets and 1 for http/https packets. So, when "icmp peer" is working, the "http peer" is not.

show crypto ipsec sa details say -

"no outbound esp sa" for http - peer.

>>If that doesn't help you may have to run crypto debug(s) to troubleshoot the problem.

Yes, i do it in my prev.post:

debug crypto isakmp

debug crypto ipsec

term mon

and see many messages:

"IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. "pak->cryptoflags=0x820

I think, that is a some kind of IOS bug - "we have SA but couldn't find current outbound SA. dropping pak." So, the packets is dropping (SYN packets don't send, no HTTP connection)

PS

I can't find this "we have SA but couldn't find current" in cisco.com

sundar.palaniappan · ‎04-10-2007

Oleg,

''permit tcp 192.168.0.0 0.0.0.255 host 192.168.202.29 eq www 443 log''

How did you include both http & https in one access list entry?

Can you configure two separate statements in the crypto access list as below and test.

permit tcp 192.168.0.0 0.0.0.255 host 192.168.202.29 eq www log

permit tcp 192.168.0.0 0.0.0.255 host 192.168.202.29 eq https log

Moreover, after updating your config and bringing up the tunnel, can you capture the 'show crypto ipsec sa' and post it here.

HTH

Sundar

sundar.palaniappan · ‎04-10-2007

In addition to the above post, can you make sure your crypto access list mirrors each other on both the peers. The ACL on the far end peer would look like this.

permit tcp 192.168.0.0 0.0.0.255 eq www host 192.168.202.29 log

permit tcp 192.168.0.0 0.0.0.255 eq 443 host 192.168.202.29 log

HTH

Sundar

oleg_driga · ‎04-16-2007

I made some simplification in crypto map ACL and resolve this problem. Thanks Sundar for idea.