Quick Mode Requests

Unanswered Question
Jul 11th, 2007

I have a site to site tunnel that is causing application disconnects due to IKE negotiations. We have an ASA 5510 on one end, and a Sonicwall on the other. What would cause the IKE Initiator to kick off? The tunnel shows up for 26 days. There is a rekey setting for every 8 hours, and these don't correspond to the log entries. Here are those entries with private addresses changed.



Time Description Source Destination

07/11/2007 09:47:17.192 Received IPSEC SA delete request 1.1.1.1, 500 2.2.2.2, 500 SPI:0x6376b91f

07/11/2007 09:47:15.336 IKE negotiation complete. Adding IPSec SA. (Phase 2) 2.2.2.2 1.1.1.1 ESP:3DES, HMAC_SHA1, lifeSeconds=28800 Local SPI:0x136646bf Remote SPI:0xd30f45d0

07/11/2007 09:47:15.336 IKE Responder: Accepting IPSec proposal (Phase 2) 1.1.1.1 2.2.2.2 172.16.1.41/32 -> 10.0.0.0/24

07/11/2007 09:47:15.304 IKE Responder: Received Quick Mode Request (Phase 2) 1.1.1.1, 500 2.2.2.2, 500

07/11/2007 08:41:36.864 IKE Responder: Main Mode complete (Phase 1) 1.1.1.1, 500 2.2.2.2, 500 3DES SHA1 Group 2 lifeSeconds=28800

07/11/2007 08:41:36.720 NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal 1.1.1.1, 500 2.2.2.2, 500

07/11/2007 08:41:36.368 IKE Responder: Received Main Mode request (Phase 1) 1.1.1.1, 500 2.2.2.2, 500

07/11/2007 05:26:04.288 IKE negotiation complete. Adding IPSec SA. (Phase 2) 2.2.2.2 1.1.1.1 ESP:3DES, HMAC_SHA1, lifeSeconds=28800 Local SPI:0xc8b52eaa Remote SPI:0xf114a412

07/11/2007 05:26:04.288 IKE Initiator: Accepting IPSec proposal (Phase 2) 2.2.2.2 1.1.1.1 10.0.0.0/24 -> 172.16.1.39/32

07/11/2007 05:26:04.272 IKE Initiator: Start Quick Mode (Phase 2). 1.1.1.1, 500 2.2.2.2, 500

07/11/2007 05:24:15.704 Received IPSEC SA delete request 1.1.1.1, 500 2.2.2.2, 500 SPI:0x3a865b3f

07/11/2007 02:42:12.656 Received IKE SA delete request 1.1.1.1, 500 2.2.2.2, 500

07/11/2007 02:41:38.192 IKE Responder: Main Mode complete (Phase 1) 1.1.1.1, 500 2.2.2.2, 500 3DES SHA1 Group 2 lifeSeconds=28800

07/11/2007 02:41:38.160 NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal 1.1.1.1, 500 2.2.2.2, 500

07/11/2007 02:41:37.880 IKE Responder: Received Main Mode request (Phase 1) 1.1.1.1, 500 2.2.2.2, 500

07/11/2007 02:11:48.944 Received IPSEC SA delete request 1.1.1.1, 500 2.2.2.2, 500 SPI:0x7e82e8c6

07/11/2007 02:11:19.144 IKE negotiation complete. Adding IPSec SA. (Phase 2) 2.2.2.2 1.1.1.1 ESP:3DES, HMAC_SHA1, lifeSeconds=28800 Local SPI:0xe891707c Remote SPI:0x6376b91f

07/11/2007 02:11:19.144 IKE Responder: Accepting IPSec proposal (Phase 2) 1.1.1.1 2.2.2.2 172.16.1.41/32 -> 10.0.0.0/24

07/11/2007 02:11:19.080 IKE Responder: Received Quick Mode Request (Phase 2) 1.1.1.1, 500 2.2.2.2, 500

07/11/2007 00:38:23.816 Received IPSEC SA delete request 1.1.1.1, 500 2.2.2.2, 500 SPI:0xeb981b0c

07/11/2007 00:37:53.848 IKE negotiation complete. Adding IPSec SA. (Phase 2) 2.2.2.2 1.1.1.1 ESP:3DES, HMAC_SHA1, lifeSeconds=28800 Local SPI:0x6d2c7a25 Remote SPI:0x3a865b3f

07/11/2007 00:37:53.848 IKE Responder: Accepting IPSec proposal (Phase 2) 1.1.1.1 2.2.2.2 172.16.1.39/32 -> 10.0.0.0/24

07/11/2007 00:37:53.816 IKE Responder: Received Quick Mode Request (Phase 2) 1.1.1.1, 500 2.2.2.2, 500




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Anonymous (not verified) Wed, 07/18/2007 - 12:22

This might be due to wron gconfiguration. If you happen to configure the line "crypto dynamic-map Outside_dyn_map 40 match address Outside_cryptomap_dyn_40" remove as it that suits your configuration .

Actions

This Discussion