VPN Clients quite often disconnects after nearly 50min. or sometimes nearly

Unanswered Question
May 29th, 2009

We have several VPN Clients which connects to a 6509 SUP720-3B with VPN-SPA.

They all show the same symptoms. They may run for 24 hours but they very often disconnects after nearly 50 min. or sometimes 100 min.

In the log of the 6500 there can be seen a difference already in the first message received by the 6500 from the VPN client:

No disconnect->log entry 6500:

May 26 11:15:45.371 UTC: ISAKMP (68356): received packet from 10.110.192.4 dport 500 sport 4236 Global (R) QM_IDLE

Disconnect->log entry 6500:

May 27 10:37:16.160 UTC: ISAKMP (0): received packet from 10.110.192.4 dport 500 sport 1774 Global (N) NEW SA

May 27 10:37:16.160 UTC: %CRYPTO-4-IKMP_NO_SA: IKE message from 10.110.192.4 has no SA and is not an initialization offer

Used Equipment

VPN Client v 5.0040300

6509:

- SUP720-3B IOS:sup-bootdisk:s72033-advipservicesk9_wan-mz.122-33.SXI.bin

- VPN SPA: 7600-SSC-400

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sadbulali Thu, 06/04/2009 - 09:00

Explanation : IKE maintains state information for a communication in the form of security associations. No security association exists for this packet and it is not an initial offer from the peer to establish one. This situation could indicate a denial-of-service attack.

Recommended Action : Contact the remote peer or the administrator of the remote peer.

danielvonreding Mon, 06/08/2009 - 00:33

Thanks a lot for the answer.

Actually a denial-of-service attack can't be the issue

- The SA already exists. As you can see form the log file at the client side it is the client which has sent the packet. The questions now are

First why the client does expire after 50 min and causes a re-keying

Second why the re-keying sometime works (same User Station) and sometime not. The requests at the client side always looks the same but as you can see from debug at the Cisco 6500 side must be somehow different or interpreted different by the 6500.

Debug Client side re keying OK:

80 16:24:25.107 05/25/09 Sev=Info/4 IPSEC/0x63700019

Activate outbound key with SPI=0xfca2d048 for inbound key with SPI=0x8b9ae494

81 17:12:24.111 05/25/09 Sev=Info/4 IPSEC/0x6370000E

Key with outbound SPI=0xfca2d048 is about to expire, requesting a new one

82 17:12:24.111 05/25/09 Sev=Info/4 IPSEC/0x6370000B

Key requested

83 17:12:24.111 05/25/09 Sev=Info/4 IKE/0x63000056

Received a key request from Driver: Local IP = 10.110.128.137, GW IP = 10.110.193.254, Remote IP = 0.0.0.0

84 17:12:24.111 05/25/09 Sev=Info/4 IKE/0x63000051

Initiating IKE Phase 2 (MsgID=D107A7A4)

Initiator = ID=10.110.128.137 Protocol=0 port=0, Responder = ID=0.0.0.0/0.0.0.0 Protocol=0 port=0

85 17:12:24.111 05/25/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 10.110.193.254

86 17:12:24.111 05/25/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 10.110.193.254

87 17:12:24.111 05/25/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from 10.110.193.254

88 17:12:24.111 05/25/09 Sev=Info/5 IKE/0x63000045

RESPONDER-LIFETIME notify has value of 3600 seconds

89 17:12:24.111 05/25/09 Sev=Info/5 IKE/0x63000046

RESPONDER-LIFETIME notify has value of 4608000 kb

90 17:12:24.111 05/25/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK QM *(HASH) to 10.110.193.254

91 17:12:24.111 05/25/09 Sev=Info/5 IKE/0x63000059

Loading IPsec SA (MsgID=D107A7A4 OUTBOUND SPI = 0x7336FF82 INBOUND SPI = 0xD8985327)

Debug Client side re keying NOK

30 10:03:45.589 05/26/09 Sev=Info/4 IPSEC/0x6370000E

Key with outbound SPI=0x8bac30d6 is about to expire, requesting a new one

31 10:03:45.589 05/26/09 Sev=Info/4 IPSEC/0x6370000B

Key requested

32 10:03:45.589 05/26/09 Sev=Info/4 IKE/0x63000056

Received a key request from Driver: Local IP = 10.110.128.141, GW IP = 10.110.193.254, Remote IP = 0.0.0.0

33 10:03:45.589 05/26/09 Sev=Info/4 IKE/0x63000051

Initiating IKE Phase 2 (MsgID=059F16D6)

Initiator = ID=10.110.128.141 Protocol=0 port=0, Responder = ID=0.0.0.0/0.0.0.0 Protocol=0 port=0

34 10:03:45.589 05/26/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 10.110.193.254

35 10:03:50.589 05/26/09 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

36 10:03:50.589 05/26/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK QM *(Retransmission) to 10.110.193.254

37 10:03:55.589 05/26/09 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

Actions

This Discussion