Linksys BEFSX41

Unanswered Question
Dec 15th, 2008

Hi everyone!

I've got a PIX 515e running FOS 7.2(4), and there's currently 48 entries of one crypto map. Half of these crypto maps connect to Linksys BEFSX41 VPN end points, and most work really well. However, every once in a while, a random tunnel just simply drops (never the same one twice). My Syslog server shows, "Failure during phase 1 rekeying attempt due to collision," but I've checked the Advanced settings, and the renegotiate times are accurate.

On the PIX, my ISAKMP time setting is 86400. The crypto map time is 28800.

On the Linksys, Phase one is 86400, and phase two is 28800.

Both devices run DH group 2 and PFS with group 2.

Restarting the Linksys definitely does not work, but removing a line from the crypto map statement on my PIX and readding it gets the tunnel up again.

Any ideas?

Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ajagadee Tue, 12/16/2008 - 10:03

Hi,

The log message is leading to some rekey issues with Phase 1. Since, you have already checked the P1 Lifetime Settings to be the same, I dont think this is a configuration issue. More to do with some kind of coding/interoperability between the Pix and linksys. Obviously, removing the crypto map and reapply it is not an ideal workaround. So, couple of things that come to mind.

1. Disable PFS and see if the behavior changes.

2. Clear the isakmp and ipsec for the specific peer that is having issue and if the tunnel comes back up.

3. The last option is, to do some proactive debugging for ISAKMP and IPSEC on the Pix and logging on the Linksys and open a TAC Service Request and troubleshoot the issue. The challenging part with this is, you dont know which Linksys is going have the problem.

Maybe, if you have some lab devices, lab testing might be an easier route. Just a thought.

Regards,

Arul

*Pls rate if it helps*

Actions

This Discussion