hi all,
I'm using ASA5510 and Zyxel routers to do site-to-site vpn. Because all of Zyxel routers are using ADSL(dynamic IP address). I decided to use dynamic vpn on the ASA. The serious problem is that when the tunnels have been built and then some tunnel will be brought down . I tried to debug. The messages are as follows:
Oct 29 13:27:16 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x62b09b4d
Oct 29 13:27:16 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE RECEIVED Message (msgid=ee723a0d) with payloads : HDR + HASH (8) + DELETE (1
2) + NONE (0) total length : 76
Oct 29 13:27:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, processing hash payload
Oct 29 13:27:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, processing delete
Oct 29 13:27:16 [IKEv1]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, Connection terminated for peer DefaultL2LGroup. Reason: Peer
Terminate Remote Proxy N/A, Local Proxy N/A
Oct 29 13:27:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, sending delete/delete with reason message
Oct 29 13:27:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, constructing blank hash payload
Oct 29 13:27:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, constructing IPSec delete payload
Oct 29 13:27:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, constructing qm hash payload
Oct 29 13:27:16 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE SENDING Message (msgid=507e92d8) with payloads : HDR + HASH (8) + DELETE (12
) + NONE (0) total length : 64
Oct 29 13:27:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, Active unit receives a delete event for remote peer xx.xx.xx.xx
Oct 29 13:27:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, IKE Deleting SA: Remote Proxy 192.3.11.0, Local Proxy 17
2.16.0.0
Oct 29 13:27:16 [IKEv1]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, Deleting static route for L2L peer that came in on a dynamic m
ap. address: 192.3.11.0, mask: 255.255.255.0
I'm not sure why the Zyxel sent the delete message to the ASA. Then ASA processes that message. As a result, The tunnel has to be re-built.
It always happens. Normally, it should not be a problem as long as the tunnel is still up and packets are being passed through the tunnel.
Please help.
Rgds
Toshi