Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
270
Views
0
Helpful
1
Replies

L2L VPN down periodic

xzjleo2005
Level 1
Level 1

‎10-29-2008 05:54 PM

Hi

One of L2L VPN is down periodic. The hub site version is PIX 6.3, the remote site is ASA 8.0. Do you have any ideas? Thanks.

Here is the debug from hub site:

AP801N0010(config)# IPSEC(key_engine): request timer fired: count = 1,

(identity) local= A.A.A.A, remote= B.B.B.B,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 10.157.64.0/255.255.224.0/0/0 (type=4)

ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block:src:B.B.B.B, dest:A.A.A.A spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 1

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:B.B.B.B, dest:A.A.A.A spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a VPN3000 concentrator

ISAKMP (0): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:B.B.B.B, dest:A.A.A.A spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of -608049916:dbc1e504IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0x647d8487(1685947527) for SA

from B.B.B.B to A.A.A.A for prot 3

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

VPN Peer: ISAKMP: Added new peer: ip:B.B.B.B/500 Total VPN Peers:3

VPN Peer: ISAKMP: Peer ip:B.B.B.B/500 Ref cnt incremented to:1 Total VPN Peers:3

crypto_isakmp_process_block:src:B.B.B.B, dest:A.A.A.A spt:500 dpt:500

ISAKMP (0): processing NOTIFY payload 18 protocol 1

spi 0, message ID = 1201765791

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block:src:B.B.B.B, dest:A.A.A.A spt:500 dpt:500

ISAKMP (0): processing DELETE payload. message ID = 229561281, spi size = 16

ISAKMP (0): deleting SA: src A.A.A.A, dst B.B.B.B

return status is IKMP_NO_ERR_NO_TRANS

ISADB: reaper checking SA 0x1049344, conn_id = 0

ISADB: reaper checking SA 0x104d78c, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:B.B.B.B/500 Ref cnt decremented to:0 Total VPN Peers:3

VPN Peer: ISAKMP: Deleted peer: ip:B.B.B.B/500 Total VPN peers:2IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with B.B.B.B

ISADB: reaper checking SA 0x1049344, conn_id = 0

ISADB: reaper checking SA 0x103740c, conn_id = 0

Labels:
0 Helpful
1 Reply 1

xzjleo2005
Level 1
Level 1

‎10-29-2008 06:35 PM

The detail config

Remote site:

access-list nonat extended permit ip 10.157.64.0 255.255.224.0 10.0.0.0 255.0.0.0

access-list nonat extended permit ip 10.157.64.0 255.255.224.0 192.168.0.0 255.255.0.0

access-list nonat extended permit ip 10.157.64.0 255.255.224.0 11.0.0.0 255.0.0.0

access-list nonat extended deny ip 10.157.64.0 255.255.224.0 any

access-list vpnhurstville extended permit ip 10.157.64.0 255.255.224.0 11.0.0.0 255.0.0.0

access-list vpnhurstville extended permit ip 10.157.64.0 255.255.224.0 10.0.0.0 255.0.0.0

access-list vpnhurstville extended permit ip 10.157.64.0 255.255.224.0 192.168.0.0 255.255.0.0

access-list vpnhurstville extended deny ip 10.157.64.0 255.255.224.0 any

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map mymap 1 match address vpnhurstville

crypto map mymap 1 set peer A.A.A.A

crypto map mymap 1 set transform-set myset

crypto map mymap 1 set security-association lifetime seconds 86400

crypto map mymap 1 set security-association lifetime kilobytes 4068000

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption des

hash md5

group 1

lifetime 86400

tunnel-group A.A.A.A type ipsec-l2l

tunnel-group A.A.A.A ipsec-attributes

pre-shared-key *

Hub site:

access-list vpnsingaporeyard permit ip any 10.157.64.0 255.255.224.0

crypto map mymap 4 ipsec-isakmp

crypto map mymap 4 match address vpnsingaporeyard

crypto map mymap 4 set peer B.B.B.B

crypto map mymap 4 set transform-set myset

crypto map mymap 4 set security-association lifetime seconds 86400 kilobytes 4608000

crypto map mymap interface outside

isakmp key ******** address B.B.B.B netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 86400

0 Helpful
Customers Also Viewed These Support Documents