07-11-2007 12:45 PM - edited 03-09-2019 06:22 PM
I have a site to site tunnel that is causing application disconnects due to IKE negotiations. We have an ASA 5510 on one end, and a Sonicwall on the other. What would cause the IKE Initiator to kick off? The tunnel shows up for 26 days. There is a rekey setting for every 8 hours, and these don't correspond to the log entries. Here are those entries with private addresses changed.
Time Description Source Destination
07/11/2007 09:47:17.192 Received IPSEC SA delete request 1.1.1.1, 500 2.2.2.2, 500 SPI:0x6376b91f
07/11/2007 09:47:15.336 IKE negotiation complete. Adding IPSec SA. (Phase 2) 2.2.2.2 1.1.1.1 ESP:3DES, HMAC_SHA1, lifeSeconds=28800 Local SPI:0x136646bf Remote SPI:0xd30f45d0
07/11/2007 09:47:15.336 IKE Responder: Accepting IPSec proposal (Phase 2) 1.1.1.1 2.2.2.2 172.16.1.41/32 -> 10.0.0.0/24
07/11/2007 09:47:15.304 IKE Responder: Received Quick Mode Request (Phase 2) 1.1.1.1, 500 2.2.2.2, 500
07/11/2007 08:41:36.864 IKE Responder: Main Mode complete (Phase 1) 1.1.1.1, 500 2.2.2.2, 500 3DES SHA1 Group 2 lifeSeconds=28800
07/11/2007 08:41:36.720 NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal 1.1.1.1, 500 2.2.2.2, 500
07/11/2007 08:41:36.368 IKE Responder: Received Main Mode request (Phase 1) 1.1.1.1, 500 2.2.2.2, 500
07/11/2007 05:26:04.288 IKE negotiation complete. Adding IPSec SA. (Phase 2) 2.2.2.2 1.1.1.1 ESP:3DES, HMAC_SHA1, lifeSeconds=28800 Local SPI:0xc8b52eaa Remote SPI:0xf114a412
07/11/2007 05:26:04.288 IKE Initiator: Accepting IPSec proposal (Phase 2) 2.2.2.2 1.1.1.1 10.0.0.0/24 -> 172.16.1.39/32
07/11/2007 05:26:04.272 IKE Initiator: Start Quick Mode (Phase 2). 1.1.1.1, 500 2.2.2.2, 500
07/11/2007 05:24:15.704 Received IPSEC SA delete request 1.1.1.1, 500 2.2.2.2, 500 SPI:0x3a865b3f
07/11/2007 02:42:12.656 Received IKE SA delete request 1.1.1.1, 500 2.2.2.2, 500
07/11/2007 02:41:38.192 IKE Responder: Main Mode complete (Phase 1) 1.1.1.1, 500 2.2.2.2, 500 3DES SHA1 Group 2 lifeSeconds=28800
07/11/2007 02:41:38.160 NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal 1.1.1.1, 500 2.2.2.2, 500
07/11/2007 02:41:37.880 IKE Responder: Received Main Mode request (Phase 1) 1.1.1.1, 500 2.2.2.2, 500
07/11/2007 02:11:48.944 Received IPSEC SA delete request 1.1.1.1, 500 2.2.2.2, 500 SPI:0x7e82e8c6
07/11/2007 02:11:19.144 IKE negotiation complete. Adding IPSec SA. (Phase 2) 2.2.2.2 1.1.1.1 ESP:3DES, HMAC_SHA1, lifeSeconds=28800 Local SPI:0xe891707c Remote SPI:0x6376b91f
07/11/2007 02:11:19.144 IKE Responder: Accepting IPSec proposal (Phase 2) 1.1.1.1 2.2.2.2 172.16.1.41/32 -> 10.0.0.0/24
07/11/2007 02:11:19.080 IKE Responder: Received Quick Mode Request (Phase 2) 1.1.1.1, 500 2.2.2.2, 500
07/11/2007 00:38:23.816 Received IPSEC SA delete request 1.1.1.1, 500 2.2.2.2, 500 SPI:0xeb981b0c
07/11/2007 00:37:53.848 IKE negotiation complete. Adding IPSec SA. (Phase 2) 2.2.2.2 1.1.1.1 ESP:3DES, HMAC_SHA1, lifeSeconds=28800 Local SPI:0x6d2c7a25 Remote SPI:0x3a865b3f
07/11/2007 00:37:53.848 IKE Responder: Accepting IPSec proposal (Phase 2) 1.1.1.1 2.2.2.2 172.16.1.39/32 -> 10.0.0.0/24
07/11/2007 00:37:53.816 IKE Responder: Received Quick Mode Request (Phase 2) 1.1.1.1, 500 2.2.2.2, 500
07-18-2007 12:22 PM
This might be due to wron gconfiguration. If you happen to configure the line "crypto dynamic-map Outside_dyn_map 40 match address Outside_cryptomap_dyn_40" remove as it that suits your configuration .
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide