05-29-2009 05:15 AM
We have several VPN Clients which connects to a 6509 SUP720-3B with VPN-SPA.
They all show the same symptoms. They may run for 24 hours but they very often disconnects after nearly 50 min. or sometimes 100 min.
In the log of the 6500 there can be seen a difference already in the first message received by the 6500 from the VPN client:
No disconnect->log entry 6500:
May 26 11:15:45.371 UTC: ISAKMP (68356): received packet from 10.110.192.4 dport 500 sport 4236 Global (R) QM_IDLE
Disconnect->log entry 6500:
May 27 10:37:16.160 UTC: ISAKMP (0): received packet from 10.110.192.4 dport 500 sport 1774 Global (N) NEW SA
May 27 10:37:16.160 UTC: %CRYPTO-4-IKMP_NO_SA: IKE message from 10.110.192.4 has no SA and is not an initialization offer
Used Equipment
VPN Client v 5.0040300
6509:
- SUP720-3B IOS:sup-bootdisk:s72033-advipservicesk9_wan-mz.122-33.SXI.bin
- VPN SPA: 7600-SSC-400
06-04-2009 09:00 AM
Explanation : IKE maintains state information for a communication in the form of security associations. No security association exists for this packet and it is not an initial offer from the peer to establish one. This situation could indicate a denial-of-service attack.
Recommended Action : Contact the remote peer or the administrator of the remote peer.
06-08-2009 12:33 AM
Thanks a lot for the answer.
Actually a denial-of-service attack can't be the issue
- The SA already exists. As you can see form the log file at the client side it is the client which has sent the packet. The questions now are
First why the client does expire after 50 min and causes a re-keying
Second why the re-keying sometime works (same User Station) and sometime not. The requests at the client side always looks the same but as you can see from debug at the Cisco 6500 side must be somehow different or interpreted different by the 6500.
Debug Client side re keying OK:
80 16:24:25.107 05/25/09 Sev=Info/4 IPSEC/0x63700019
Activate outbound key with SPI=0xfca2d048 for inbound key with SPI=0x8b9ae494
81 17:12:24.111 05/25/09 Sev=Info/4 IPSEC/0x6370000E
Key with outbound SPI=0xfca2d048 is about to expire, requesting a new one
82 17:12:24.111 05/25/09 Sev=Info/4 IPSEC/0x6370000B
Key requested
83 17:12:24.111 05/25/09 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 10.110.128.137, GW IP = 10.110.193.254, Remote IP = 0.0.0.0
84 17:12:24.111 05/25/09 Sev=Info/4 IKE/0x63000051
Initiating IKE Phase 2 (MsgID=D107A7A4)
Initiator = ID=10.110.128.137 Protocol=0 port=0, Responder = ID=0.0.0.0/0.0.0.0 Protocol=0 port=0
85 17:12:24.111 05/25/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 10.110.193.254
86 17:12:24.111 05/25/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 10.110.193.254
87 17:12:24.111 05/25/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from 10.110.193.254
88 17:12:24.111 05/25/09 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 3600 seconds
89 17:12:24.111 05/25/09 Sev=Info/5 IKE/0x63000046
RESPONDER-LIFETIME notify has value of 4608000 kb
90 17:12:24.111 05/25/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to 10.110.193.254
91 17:12:24.111 05/25/09 Sev=Info/5 IKE/0x63000059
Loading IPsec SA (MsgID=D107A7A4 OUTBOUND SPI = 0x7336FF82 INBOUND SPI = 0xD8985327)
Debug Client side re keying NOK
30 10:03:45.589 05/26/09 Sev=Info/4 IPSEC/0x6370000E
Key with outbound SPI=0x8bac30d6 is about to expire, requesting a new one
31 10:03:45.589 05/26/09 Sev=Info/4 IPSEC/0x6370000B
Key requested
32 10:03:45.589 05/26/09 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 10.110.128.141, GW IP = 10.110.193.254, Remote IP = 0.0.0.0
33 10:03:45.589 05/26/09 Sev=Info/4 IKE/0x63000051
Initiating IKE Phase 2 (MsgID=059F16D6)
Initiator = ID=10.110.128.141 Protocol=0 port=0, Responder = ID=0.0.0.0/0.0.0.0 Protocol=0 port=0
34 10:03:45.589 05/26/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 10.110.193.254
35 10:03:50.589 05/26/09 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
36 10:03:50.589 05/26/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(Retransmission) to 10.110.193.254
37 10:03:55.589 05/26/09 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide