Phase 2 failing .IKE Initiator: Rekeying Phase 2 Intf 2 IKE Peer x.x.x.x logs VPN concentrator

Unanswered Question
Apr 30th, 2010
User Badges:

Dear All,


I have VPN 3000 series concentrator   , S2S tunnel  built to check point .  since last week tunnel  having issue . below are the observation


Phase one will be up . TX traffic observing increasing . RX  trffic not moving . application are not working any of phase 2 . after 30 minutes  phase 2 tunnel traffic start flowoing automatically without any changes . if tunnel force to reset either any of the device  service will restore  or phase traffic will be in both direction


below are the logs . please help  me to trouble shoot this issue.



52774,04/29/2010,10:18:10.130,SEV=4,IKE/41,RPT=43284,x.x.x.x,Group x.x.x.x IKE Initiator: Rekeying Phase 2  Intf 2  IKE Peer x.x.x.xlocal Proxy Address 192.168.72.10  remote Proxy Address 10.250.10.78 SA


52778,04/29/2010,10:18:11.010,SEV=4,IKE/49,RPT=45510,x.x.x.x,Group [x.x.x.x]Security negotiation complete for LAN-to-LAN Group (x.x.x.x)Responder  Inbound SPI = 0x1c4ab228  Outbound SPI = 0x2f764a2f


52781,04/29/2010,10:18:11.020,SEV=4,IKE/120,RPT=47769,x.x.x.x,Group [x.x.x.x] PHASE 2 COMPLETED (msgid=cf771603)


57487,04/29/2010,10:56:23.550,SEV=4,IKE/41,RPT=43453,x.x.x.x,Group [x.x.x.x]IKE Initiator: Rekeying Phase 2  Intf 2  IKE Peer x.x.x.xlocal Proxy Address 192.168.72.16  remote Proxy Address 10.250.10.106 SA


57491,04/29/2010,10:56:23.710,SEV=4,IKE/49,RPT=45586,x.x.x.x,Group [x.x.x.x]Security negotiation complete for LAN-to-LAN Group (x.x.x.x)Responder  Inbound SPI = 0x38c241c8  Outbound SPI = 0xe3269230


57494,04/29/2010,10:56:23.720,SEV=4,IKE/120,RPT=47845,x.x.x.x,Group [x.x.x.x] PHASE 2 COMPLETED (msgid=061ef7d7)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Fri, 04/30/2010 - 09:45
User Badges:
  • Green, 3000 points or more

Hi,


It just seems that connectivity on the check point side is being interrupted.

You continue to see Tx increasing while Rx not.


Then after any change, the connection restores.

Could you verify that when the problem happens, the Internet connection is not getting interrupted on the check point side?


Federico.

slmansfield Sat, 05/01/2010 - 05:46
User Badges:
  • Silver, 250 points or more

As Federico indicates, there may be a network problem on the remote side.


The log entries you listed look like normal IPSEC SA rekeys. 


Are both VPN peers configured for bi-directional initiation of the VPN tunnel?

santoshvijapur Tue, 05/04/2010 - 06:36
User Badges:

Dear mates.


I got few more logs  during today outage . I am not able to get client in the call during outage window . after resetting the tunnel  service restored . kindly

refer the below logs and help  me


I am seeing  MSG6 logs .


58223,05/04/2010,17:38:22.670,SEV=4,IKE/136,RPT=1269,x.x.x.x,Group [x.x.x.x]IKE session establishment timed out [MM_BLD_MSG6]  aborting!
58225,05/04/2010,17:38:22.900,SEV=4,IKEDBG/97,RPT=6215,x.x.x.x,Group [x.x.x.x] QM FSM error (P2 struct &0x17a244b0  mess id 0xc3daaf82)!

58304,05/04/2010,17:38:30.850,SEV=4,IKEDBG/97,RPT=6220,x.x.x.x,Group [x.x.x.x] QM FSM error (P2 struct &0x145a0e68  mess id 0xdb4230f6)!

58510,05/04/2010,17:38:52.670,SEV=4,IKE/136,RPT=1272,x.x.x.x,Group [x.x.x.x]IKE session establishment timed out [MM_BLD_MSG6]  aborting!

58604,05/04/2010,17:39:02.670,SEV=4,IKE/136,RPT=1274,x.x.x.x,Group [x.x.x.x]IKE session establishment timed out [MM_BLD_MSG6]  aborting!
58606,05/04/2010,17:39:02.670,SEV=4,IKE/136,RPT=1275,x.x.x.x,Group [x.x.x.x]IKE session establishment timed out [MM_BLD_MSG6]  aborting!

58688,05/04/2010,17:39:12.670,SEV=4,IKE/136,RPT=1276,x.x.x.x,Group [x.x.x.x]IKE session establishment timed out [MM_BLD_MSG6]  aborting!



during outage window , we tried to initiate interesting traffic  probaly after 10 minutes . from the Interface VLAN 192.168.72.1 . error log suggesting      " Failure during phase 1 rekeying attempt due to collision "



60962,05/04/2010,17:57:27.270,SEV=4,IKE/41,RPT=9783,X.X.X.X,Group [X.X.X.X]IKE Initiator: New Phase 2  Intf 2  IKE Peer X.X.X.Xlocal Proxy Address 192.168.72.1  remote Proxy Address 10.250.10.78 SA


60967,05/04/2010,17:57:27.770,SEV=4,IKE/92,RPT=53805,X.X.X.X,Group [X.X.X.X] Failure during phase 1 rekeying attempt due to collision

60968,05/04/2010,17:57:29.270,SEV=4,IKE/41,RPT=9784,X.X.X.X,Group [X.X.X.X]IKE Initiator: New Phase 2  Intf 2  IKE Peer X.X.X.Xlocal Proxy Address 192.168.72.1  remote Proxy Address 10.250.10.78 SA


60972,05/04/2010,17:57:29.520,SEV=4,IKE/92,RPT=53806,X.X.X.X,Group [X.X.X.X] Failure during phase 1 rekeying attempt due to collision

slmansfield Tue, 05/04/2010 - 07:28
User Badges:
  • Silver, 250 points or more

There is a really good document on troubleshooting the most common VPN problems.  http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution4


This is what it says about the problem you are having and how to address it.  Also, I would clear the VPN connection before attempting a new one.





Verify ISAKMP Lifetime

If the users are frequently disconnected across the L2L tunnel, the problem can be the lesser lifetime configured in ISAKMP SA. If any discrepancy occurs in the ISAKMP lifetime, you can receive the %PIX|ASA-5-713092: Group = x.x.x.x, IP = x.x.x.x, Failure during phase 1 rekeying attempt due to collision error message in PIX/ASA. For FWSM, you can receive the %FWSM-5-713092: Group = x.x.x.x, IP = x.x.x.x, Failure during phase 1 rekeying attempt due to collision error message. Configure the same value in both the peers in order to fix it.

santoshvijapur Thu, 05/06/2010 - 23:20
User Badges:

Dear slmansfield


verifed the life time parametrs  ( file is attached) , look like both lifetime paramters are matching   .


Kidnly suggest any other parameters need to check. please.


slmansfield Fri, 05/07/2010 - 06:26
User Badges:
  • Silver, 250 points or more

Were these values changed or is what is configured now what was there before?


Did you clear the VPN tunnel from the peers so they re-establish the VPN session?


On the concentrator, are these changes applied to the LAN-2-LAN SA?  In the configuration of the LAN-2-LAN SA, the IKE proposal is pulled in from the list of IKE proposals, but the IPSEC paramters are set within the LAN-2-LAN SA configuration for that site.


Configuration | Policy Management | Traffic Management | Security Associations | Modify ->name of LAN-2-LAN SA

santoshvijapur Wed, 07/14/2010 - 01:28
User Badges:

Dear All,


Thanks for your kind support and Valuable tips . the issue got arrested and tunnel is stable since 28 days .


Summary :   encryption list allowed at Concentartor and Checkpoint  were more than 35 individual /32 networks. done the summarization at both device


allowed one /24 network segment . since then tunnel got stable . not sure exact cause . just to keep all you updated .

Actions

This Discussion