Cisco ASA and Watchguard VPN SA Re-Key Errors

Unanswered Question
Jul 17th, 2008

Greetings we are running a Cisco ASA 5510 with 8.0.3(19) code and have several site to site vpn connections for various partner access.

One partner is using a Watchguard x550e, the site to site tunnel is configured as follows:

IKE Phase 1: 3Des/Sha/DH Group 2

IKE Phase 2: 3Des/Sha/DH Group 2

IKE is using aggressive mode and PFS has been disabled.

The VPN establishes just fine and stays up for the set SA Lifetime being the default of 8 hours, but when the 8 hour limit is reached the VPN drops out and cannot re-key and re-establish the connection, in order to get the connection back up the link has to be torn down at one end and re-created manually.

This is what happens after the 8 hour period.

Group =, IP =, Received non-routine Notify message: Payload malformed (16)

Group =, IP =, De-queuing KEY-ACQUIRE messages that were left pending.

IP =, Keep-alives configured on but peer does not support keep-alives (type = None)


AAA retrieved default group policy (DfltGrpPolicy) for user =

Group =, IP =, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device

IP =, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

IP =, IKE Initiator: New Phase 1, Intf inside, IKE Peer local Proxy Address, remote Proxy Address, Crypto map (OutsideMap)

Group =, Username =, IP =, Session disconnected. Session Type: IKE, Duration: 0h:00m:32s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Error

Group =, IP =, Removing peer from correlator table failed, no match!

Group =, IP =, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

Group =, IP =, QM FSM error (P2 struct &0xd8e9a790, mess id 0x16ee7a8c)!

Would anyone have any suggestions as to what the cause might be?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Daniel Voicu Thu, 07/17/2008 - 05:46


There are two SA lifetimes: for Phase1 and for Phase2.

Both should match on both ends.

IKE lifetime:

crypto isakmp policy 10

lifetime 86400

IPSEC lifetime:

crypto map VPN 10 set security-association lifetime seconds 28800

Also, you should configure the main mode instead of aggressive:

crypto map VPN 10 set phase1-mode main

Please rate if this helped.




This Discussion