04-30-2010 02:25 AM
Dear All,
I have VPN 3000 series concentrator , S2S tunnel built to check point . since last week tunnel having issue . below are the observation
Phase one will be up . TX traffic observing increasing . RX trffic not moving . application are not working any of phase 2 . after 30 minutes phase 2 tunnel traffic start flowoing automatically without any changes . if tunnel force to reset either any of the device service will restore or phase traffic will be in both direction
below are the logs . please help me to trouble shoot this issue.
52774,04/29/2010,10:18:10.130,SEV=4,IKE/41,RPT=43284,x.x.x.x,Group x.x.x.x IKE Initiator: Rekeying Phase 2 Intf 2 IKE Peer x.x.x.xlocal Proxy Address 192.168.72.10 remote Proxy Address 10.250.10.78 SA
52778,04/29/2010,10:18:11.010,SEV=4,IKE/49,RPT=45510,x.x.x.x,Group [x.x.x.x]Security negotiation complete for LAN-to-LAN Group (x.x.x.x)Responder Inbound SPI = 0x1c4ab228 Outbound SPI = 0x2f764a2f
52781,04/29/2010,10:18:11.020,SEV=4,IKE/120,RPT=47769,x.x.x.x,Group [x.x.x.x] PHASE 2 COMPLETED (msgid=cf771603)
57487,04/29/2010,10:56:23.550,SEV=4,IKE/41,RPT=43453,x.x.x.x,Group [x.x.x.x]IKE Initiator: Rekeying Phase 2 Intf 2 IKE Peer x.x.x.xlocal Proxy Address 192.168.72.16 remote Proxy Address 10.250.10.106 SA
57491,04/29/2010,10:56:23.710,SEV=4,IKE/49,RPT=45586,x.x.x.x,Group [x.x.x.x]Security negotiation complete for LAN-to-LAN Group (x.x.x.x)Responder Inbound SPI = 0x38c241c8 Outbound SPI = 0xe3269230
57494,04/29/2010,10:56:23.720,SEV=4,IKE/120,RPT=47845,x.x.x.x,Group [x.x.x.x] PHASE 2 COMPLETED (msgid=061ef7d7)
04-30-2010 09:45 AM
Hi,
It just seems that connectivity on the check point side is being interrupted.
You continue to see Tx increasing while Rx not.
Then after any change, the connection restores.
Could you verify that when the problem happens, the Internet connection is not getting interrupted on the check point side?
Federico.
05-01-2010 05:46 AM
As Federico indicates, there may be a network problem on the remote side.
The log entries you listed look like normal IPSEC SA rekeys.
Are both VPN peers configured for bi-directional initiation of the VPN tunnel?
05-04-2010 03:43 AM
Thanks for the inputs I will check and revert
05-04-2010 06:36 AM
Dear mates.
I got few more logs during today outage . I am not able to get client in the call during outage window . after resetting the tunnel service restored . kindly
refer the below logs and help me
I am seeing MSG6 logs .
58223,05/04/2010,17:38:22.670,SEV=4,IKE/136,RPT=1269,x.x.x.x,Group [x.x.x.x]IKE session establishment timed out [MM_BLD_MSG6] aborting!
58225,05/04/2010,17:38:22.900,SEV=4,IKEDBG/97,RPT=6215,x.x.x.x,Group [x.x.x.x] QM FSM error (P2 struct &0x17a244b0 mess id 0xc3daaf82)!
58304,05/04/2010,17:38:30.850,SEV=4,IKEDBG/97,RPT=6220,x.x.x.x,Group [x.x.x.x] QM FSM error (P2 struct &0x145a0e68 mess id 0xdb4230f6)!
58510,05/04/2010,17:38:52.670,SEV=4,IKE/136,RPT=1272,x.x.x.x,Group [x.x.x.x]IKE session establishment timed out [MM_BLD_MSG6] aborting!
58604,05/04/2010,17:39:02.670,SEV=4,IKE/136,RPT=1274,x.x.x.x,Group [x.x.x.x]IKE session establishment timed out [MM_BLD_MSG6] aborting!
58606,05/04/2010,17:39:02.670,SEV=4,IKE/136,RPT=1275,x.x.x.x,Group [x.x.x.x]IKE session establishment timed out [MM_BLD_MSG6] aborting!
58688,05/04/2010,17:39:12.670,SEV=4,IKE/136,RPT=1276,x.x.x.x,Group [x.x.x.x]IKE session establishment timed out [MM_BLD_MSG6] aborting!
during outage window , we tried to initiate interesting traffic probaly after 10 minutes . from the Interface VLAN 192.168.72.1 . error log suggesting " Failure during phase 1 rekeying attempt due to collision "
60962,05/04/2010,17:57:27.270,SEV=4,IKE/41,RPT=9783,X.X.X.X,Group [X.X.X.X]IKE Initiator: New Phase 2 Intf 2 IKE Peer X.X.X.Xlocal Proxy Address 192.168.72.1 remote Proxy Address 10.250.10.78 SA
60967,05/04/2010,17:57:27.770,SEV=4,IKE/92,RPT=53805,X.X.X.X,Group [X.X.X.X] Failure during phase 1 rekeying attempt due to collision
60968,05/04/2010,17:57:29.270,SEV=4,IKE/41,RPT=9784,X.X.X.X,Group [X.X.X.X]IKE Initiator: New Phase 2 Intf 2 IKE Peer X.X.X.Xlocal Proxy Address 192.168.72.1 remote Proxy Address 10.250.10.78 SA
60972,05/04/2010,17:57:29.520,SEV=4,IKE/92,RPT=53806,X.X.X.X,Group [X.X.X.X] Failure during phase 1 rekeying attempt due to collision
05-04-2010 07:28 AM
There is a really good document on troubleshooting the most common VPN problems. http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution4
This is what it says about the problem you are having and how to address it. Also, I would clear the VPN connection before attempting a new one.
If the users are frequently disconnected across the L2L tunnel, the problem can be the lesser lifetime configured in ISAKMP SA. If any discrepancy occurs in the ISAKMP lifetime, you can receive the %PIX|ASA-5-713092: Group = x.x.x.x, IP = x.x.x.x, Failure during phase 1 rekeying attempt due to collision error message in PIX/ASA. For FWSM, you can receive the %FWSM-5-713092: Group = x.x.x.x, IP = x.x.x.x, Failure during phase 1 rekeying attempt due to collision error message. Configure the same value in both the peers in order to fix it.
05-06-2010 11:20 PM
05-07-2010 06:26 AM
Were these values changed or is what is configured now what was there before?
Did you clear the VPN tunnel from the peers so they re-establish the VPN session?
On the concentrator, are these changes applied to the LAN-2-LAN SA? In the configuration of the LAN-2-LAN SA, the IKE proposal is pulled in from the list of IKE proposals, but the IPSEC paramters are set within the LAN-2-LAN SA configuration for that site.
Configuration | Policy Management | Traffic Management | Security Associations | Modify ->name of LAN-2-LAN SA
07-14-2010 01:28 AM
Dear All,
Thanks for your kind support and Valuable tips . the issue got arrested and tunnel is stable since 28 days .
Summary : encryption list allowed at Concentartor and Checkpoint were more than 35 individual /32 networks. done the summarization at both device
allowed one /24 network segment . since then tunnel got stable . not sure exact cause . just to keep all you updated .
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide