Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9562
Views
0
Helpful
8
Replies

Phase 2 failing .IKE Initiator: Rekeying Phase 2 Intf 2 IKE Peer x.x.x.x logs VPN concentrator

santoshvijapur
Level 1
Level 1

‎04-30-2010 02:25 AM

Dear All,

I have VPN 3000 series concentrator   , S2S tunnel  built to check point .  since last week tunnel  having issue . below are the observation

Phase one will be up . TX traffic observing increasing . RX  trffic not moving . application are not working any of phase 2 . after 30 minutes  phase 2 tunnel traffic start flowoing automatically without any changes . if tunnel force to reset either any of the device  service will restore  or phase traffic will be in both direction

below are the logs . please help  me to trouble shoot this issue.

52774,04/29/2010,10:18:10.130,SEV=4,IKE/41,RPT=43284,x.x.x.x,Group x.x.x.x IKE Initiator: Rekeying Phase 2  Intf 2  IKE Peer x.x.x.xlocal Proxy Address 192.168.72.10  remote Proxy Address 10.250.10.78 SA


52778,04/29/2010,10:18:11.010,SEV=4,IKE/49,RPT=45510,x.x.x.x,Group [x.x.x.x]Security negotiation complete for LAN-to-LAN Group (x.x.x.x)Responder  Inbound SPI = 0x1c4ab228  Outbound SPI = 0x2f764a2f


52781,04/29/2010,10:18:11.020,SEV=4,IKE/120,RPT=47769,x.x.x.x,Group [x.x.x.x] PHASE 2 COMPLETED (msgid=cf771603)

57487,04/29/2010,10:56:23.550,SEV=4,IKE/41,RPT=43453,x.x.x.x,Group [x.x.x.x]IKE Initiator: Rekeying Phase 2  Intf 2  IKE Peer x.x.x.xlocal Proxy Address 192.168.72.16  remote Proxy Address 10.250.10.106 SA


57491,04/29/2010,10:56:23.710,SEV=4,IKE/49,RPT=45586,x.x.x.x,Group [x.x.x.x]Security negotiation complete for LAN-to-LAN Group (x.x.x.x)Responder  Inbound SPI = 0x38c241c8  Outbound SPI = 0xe3269230


57494,04/29/2010,10:56:23.720,SEV=4,IKE/120,RPT=47845,x.x.x.x,Group [x.x.x.x] PHASE 2 COMPLETED (msgid=061ef7d7)

1 person had this problem
Labels:
0 Helpful
8 Replies 8

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎04-30-2010 09:45 AM

Hi,

It just seems that connectivity on the check point side is being interrupted.

You continue to see Tx increasing while Rx not.

Then after any change, the connection restores.

Could you verify that when the problem happens, the Internet connection is not getting interrupted on the check point side?

Federico.

0 Helpful

slmansfield
Level 4
Level 4
In response to Federico Coto Fajardo

‎05-01-2010 05:46 AM

As Federico indicates, there may be a network problem on the remote side.

The log entries you listed look like normal IPSEC SA rekeys. 

Are both VPN peers configured for bi-directional initiation of the VPN tunnel?

0 Helpful

santoshvijapur
Level 1
Level 1
In response to slmansfield

‎05-04-2010 03:43 AM

Thanks for the inputs I will check and revert

0 Helpful

santoshvijapur
Level 1
Level 1
In response to santoshvijapur

‎05-04-2010 06:36 AM

Dear mates.

I got few more logs  during today outage . I am not able to get client in the call during outage window . after resetting the tunnel  service restored . kindly

refer the below logs and help  me

I am seeing  MSG6 logs .

58223,05/04/2010,17:38:22.670,SEV=4,IKE/136,RPT=1269,x.x.x.x,Group [x.x.x.x]IKE session establishment timed out [MM_BLD_MSG6]  aborting!
58225,05/04/2010,17:38:22.900,SEV=4,IKEDBG/97,RPT=6215,x.x.x.x,Group [x.x.x.x] QM FSM error (P2 struct &0x17a244b0  mess id 0xc3daaf82)!

58304,05/04/2010,17:38:30.850,SEV=4,IKEDBG/97,RPT=6220,x.x.x.x,Group [x.x.x.x] QM FSM error (P2 struct &0x145a0e68  mess id 0xdb4230f6)!

58510,05/04/2010,17:38:52.670,SEV=4,IKE/136,RPT=1272,x.x.x.x,Group [x.x.x.x]IKE session establishment timed out [MM_BLD_MSG6]  aborting!

58604,05/04/2010,17:39:02.670,SEV=4,IKE/136,RPT=1274,x.x.x.x,Group [x.x.x.x]IKE session establishment timed out [MM_BLD_MSG6]  aborting!
58606,05/04/2010,17:39:02.670,SEV=4,IKE/136,RPT=1275,x.x.x.x,Group [x.x.x.x]IKE session establishment timed out [MM_BLD_MSG6]  aborting!

58688,05/04/2010,17:39:12.670,SEV=4,IKE/136,RPT=1276,x.x.x.x,Group [x.x.x.x]IKE session establishment timed out [MM_BLD_MSG6]  aborting!

during outage window , we tried to initiate interesting traffic  probaly after 10 minutes . from the Interface VLAN 192.168.72.1 . error log suggesting      " Failure during phase 1 rekeying attempt due to collision "

60962,05/04/2010,17:57:27.270,SEV=4,IKE/41,RPT=9783,X.X.X.X,Group [X.X.X.X]IKE Initiator: New Phase 2  Intf 2  IKE Peer X.X.X.Xlocal Proxy Address 192.168.72.1  remote Proxy Address 10.250.10.78 SA

60967,05/04/2010,17:57:27.770,SEV=4,IKE/92,RPT=53805,X.X.X.X,Group [X.X.X.X] Failure during phase 1 rekeying attempt due to collision

60968,05/04/2010,17:57:29.270,SEV=4,IKE/41,RPT=9784,X.X.X.X,Group [X.X.X.X]IKE Initiator: New Phase 2  Intf 2  IKE Peer X.X.X.Xlocal Proxy Address 192.168.72.1  remote Proxy Address 10.250.10.78 SA

60972,05/04/2010,17:57:29.520,SEV=4,IKE/92,RPT=53806,X.X.X.X,Group [X.X.X.X] Failure during phase 1 rekeying attempt due to collision

0 Helpful

slmansfield
Level 4
Level 4
In response to santoshvijapur

‎05-04-2010 07:28 AM

There is a really good document on troubleshooting the most common VPN problems.  http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution4

This is what it says about the problem you are having and how to address it.  Also, I would clear the VPN connection before attempting a new one.

Verify ISAKMP Lifetime

If the users are frequently disconnected across the L2L tunnel, the problem can be the lesser lifetime configured in ISAKMP SA. If any discrepancy occurs in the ISAKMP lifetime, you can receive the %PIX|ASA-5-713092: Group = x.x.x.x, IP = x.x.x.x, Failure during phase 1 rekeying attempt due to collision error message in PIX/ASA. For FWSM, you can receive the %FWSM-5-713092: Group = x.x.x.x, IP = x.x.x.x, Failure during phase 1 rekeying attempt due to collision error message. Configure the same value in both the peers in order to fix it.

0 Helpful

santoshvijapur
Level 1
Level 1
In response to slmansfield

‎05-06-2010 11:20 PM

Dear slmansfield

verifed the life time parametrs  ( file is attached) , look like both lifetime paramters are matching   .

Kidnly suggest any other parameters need to check. please.

Preview file
151 KB
0 Helpful

slmansfield
Level 4
Level 4
In response to santoshvijapur

‎05-07-2010 06:26 AM

Were these values changed or is what is configured now what was there before?

Did you clear the VPN tunnel from the peers so they re-establish the VPN session?

On the concentrator, are these changes applied to the LAN-2-LAN SA?  In the configuration of the LAN-2-LAN SA, the IKE proposal is pulled in from the list of IKE proposals, but the IPSEC paramters are set within the LAN-2-LAN SA configuration for that site.

Configuration | Policy Management | Traffic Management | Security Associations | Modify ->name of LAN-2-LAN SA

0 Helpful

santoshvijapur
Level 1
Level 1
In response to slmansfield

‎07-14-2010 01:28 AM

Dear All,

Thanks for your kind support and Valuable tips . the issue got arrested and tunnel is stable since 28 days .

Summary :   encryption list allowed at Concentartor and Checkpoint  were more than 35 individual /32 networks. done the summarization at both device

allowed one /24 network segment . since then tunnel got stable . not sure exact cause . just to keep all you updated .

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents