problem EASY VPN

Unanswered Question
May 17th, 2010

hello,

i have a problem whit mi easy vpn client is down every 10 seconds an appear this this message in debug:

*Mar 11 08:50:33.557: ISAKMP:(3005):purging node -1308217119

*Mar 11 08:50:41.345: ISAKMP:(3004):purging SA., sa=83A4B344, delme=83A4B344

regards

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Mon, 05/17/2010 - 15:05

Angel,

Is this an IPsec client software or an ezvpn hardware client?

The connection establishes, but it goes down every 10 seconds, is that it?

Federico.

Acruzgreg Mon, 05/17/2010 - 15:13

Hi,

the ezvpn in configured in router 800 series and it established the conection and I m can ping the private ip address of remote peer

and that this appear in the logg

*Mar 11 10:08:56.877: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down

*Mar 11 10:08:57.877: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down

*Mar 11 10:08:58.525: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client)  User=XXXXX  Group=XXXXX  Server_public_addr=X.X.X.X NEM_Remote_Subnets=192.168.7.0/255.255.255.0  192.168.7.0/255.255.255.0  192.168.7.0

*Mar 11 10:08:58.533: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up

*Mar 11 10:08:59.533: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up

regards

Federico Coto F... Mon, 05/17/2010 - 15:15

Seems the interface is flapping and that might be why the VPN tunnel goes down.

Isn't that the problem?

Federico.

Acruzgreg Mon, 05/17/2010 - 15:57

hi,

I  chequed the ip of the lan inside interfaces and no have a problem its ok

Federico Coto F... Mon, 05/17/2010 - 16:02

Angel,

I asked the question because on the messages that you attached, the interface is going up/down.

Anyway, please explain the following:

You have IPsec VPN client software connecting to the 800?

Or, the 800 are connecting as ezvpn clients to a VPN server?

Federico.

Acruzgreg Mon, 05/17/2010 - 16:08

the 800 are connecting as ezvpn clients to a VPN server

and the it can comunicate whit the server only that when I pinging at the server this is succesfully when the ezvpn is down lose one packet and continue the ping succesfully

regards

Federico Coto F... Mon, 05/17/2010 - 16:12

Angel,

If I understand correctly, the VPN tunnel establishes but it goes down.

If you PING, then it establishes fine, but again goes down.

Is this the problem?

Federico.

Acruzgreg Mon, 05/17/2010 - 16:17

this is the debug:

*Mar 11 08:50:31.345: ISAKMP:(3004):purging node 1424545127

*Mar 11 08:50:31.345: ISAKMP:(3004):purging node -1848733477

*Mar 11 08:50:31.345: ISAKMP:(3004):purging node 322940248

*Mar 11 08:50:31.345: ISAKMP:(3004):purging node -292373508

*Mar 11 08:50:31.345: ISAKMP:(3004):purging node 2088837442

*Mar 11 08:50:31.345: ISAKMP:(3004):purging node -994368148

*Mar 11 08:50:31.345: ISAKMP:(3004):purging node 1533463870

*Mar 11 08:50:31.345: ISAKMP:(3004):purging node 1274754254

*Mar 11 08:50:31.345: ISAKMP:(3004):purging node 1725567880

*Mar 11 08:50:31.345: ISAKMP:(3004):purging node -1582202546

*Mar 11 08:50:31.345: ISAKMP:(3004):purging node 335295199

*Mar 11 08:50:31.345: ISAKMP:(3004):purging node 1354640579

*Mar 11 08:50:33.201: ISAKMP:(3005):purging node 423492054

*Mar 11 08:50:33.233: ISAKMP:(3005):purging node -35547341

*Mar 11 08:50:33.233: ISAKMP:(3005):purging node -678601614

*Mar 11 08:50:33.273: ISAKMP:(3005):purging node 2105251367

*Mar 11 08:50:33.377: ISAKMP:(3005):purging node -236295930

*Mar 11 08:50:33.405: ISAKMP:(3005):purging node 1832706167

*Mar 11 08:50:33.405: ISAKMP:(3005):purging node 622989195

*Mar 11 08:50:33.429: ISAKMP:(3005):purging node 355771240

*Mar 11 08:50:33.429: ISAKMP:(3005):purging node 705069511

*Mar 11 08:50:33.437: ISAKMP:(3005):purging node 2077006263

*Mar 11 08:50:33.481: ISAKMP:(3005):purging node -1464272750

*Mar 11 08:50:33.481: ISAKMP:(3005):purging node -1856382539

*Mar 11 08:50:33.505: ISAKMP:(3005):purging node -556921504

*Mar 11 08:50:33.509: ISAKMP:(3005):purging node -548730233

*Mar 11 08:50:33.529: ISAKMP:(3005):purging node -1217521514

*Mar 11 08:50:33.529: ISAKMP:(3005):purging node -767799163

*Mar 11 08:50:33.557: ISAKMP:(3005):purging node -1045693878

*Mar 11 08:50:33.557: ISAKMP:(3005):purging node -1308217119

*Mar 11 08:50:41.345: ISAKMP:(3004):purging SA., sa=83A4B344, delme=83A4B344

*Mar 11 08:50:43.317: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=usuario  Group=password  Server_public_addr=public_address

*Mar 11 08:50:43.325: ISAKMP: set new node -53475109 to QM_IDLE

*Mar 11 08:50:43.329: ISAKMP:(3005): sending packet to (ip_address) my_port 500 peer_port 500 (I) QM_IDLE

*Mar 11 08:50:43.329: ISAKMP:(3005):Sending an IKE IPv4 Packet.

*Mar 11 08:50:43.329: ISAKMP:(3005):purging node -53475109

*Mar 11 08:50:43.329: ISAKMP:(3005):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL

*Mar 11 08:50:43.329: ISAKMP:(3005):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Mar 11 08:50:43.329: ISAKMP: set new node -908125820 to QM_IDLE

*Mar 11 08:50:43.329: ISAKMP:(3005): sending packet to (ip_address) my_port 500 peer_port 500 (I) QM_IDLE

*Mar 11 08:50:43.329: ISAKMP:(3005):Sending an IKE IPv4 Packet.

*Mar 11 08:50:43.333: ISAKMP:(3005):purging node -908125820

*Mar 11 08:50:43.333: ISAKMP:(3005):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL

*Mar 11 08:50:43.333: ISAKMP:(3005):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Mar 11 08:50:43.333: ISAKMP:(3005):peer does not do paranoid keepalives.

*Mar 11 08:50:43.333: ISAKMP:(3005):deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) QM_IDLE       (peer ip_address)

*Mar 11 08:50:43.333: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down

*Mar 11 08:50:43.333: ISAKMP: set new node -1112502632 to QM_IDLE

*Mar 11 08:50:43.333: ISAKMP:(3005): sending packet to (ip_address) my_port 500 peer_port 500 (I) QM_IDLE

*Mar 11 08:50:43.333: ISAKMP:(3005):Sending an IKE IPv4 Packet.

*Mar 11 08:50:43.337: ISAKMP:(3005):purging node -1112502632

*Mar 11 08:50:43.337: ISAKMP:(3005):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Mar 11 08:50:43.337: ISAKMP:(3005):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*Mar 11 08:50:43.337: ISAKMP:(3005):deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) QM_IDLE       (peer ip_address)

*Mar 11 08:50:43.337: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_active since it's already 0.

*Mar 11 08:50:43.337: ISAKMP: Unlocking peer struct 0x8428F098 for isadb_mark_sa_deleted(), count 0

*Mar 11 08:50:43.337: ISAKMP: Deleting peer node by peer_reap for 200.67.233.238: 8428F098

*Mar 11 08:50:43.337: ISAKMP:(3005):deleting node 1661617387 error FALSE reason "IKE deleted"

*Mar 11 08:50:43.341: ISAKMP:(3005):deleting node 2032741393 error FALSE reason "IKE deleted"

*Mar 11 08:50:43.341: ISAKMP:(3005):deleting node -1308849341 error FALSE reason "IKE deleted"

*Mar 11 08:50:43.341: ISAKMP:(3005):deleting node -955006391 error FALSE reason "IKE deleted"

*Mar 11 08:50:43.341: ISAKMP:(3005):deleting node 354578411 error FALSE reason "IKE deleted"

*Mar 11 08:50:43.341: ISAKMP:(3005):deleting node -1258842804 error FALSE reason "IKE deleted"

*Mar 11 08:50:43.341: ISAKMP:(3005):deleting node -2102576846 error FALSE reason "IKE deleted"

*Mar 11 08:50:43.341: ISAKMP:(3005):deleting node -1200444317 error FALSE reason "IKE deleted"

*Mar 11 08:50:43.341: ISAKMP:(3005):deleting node 75082018 error FALSE reason "IKE deleted"

*Mar 11 08:50:43.341: ISAKMP:(3005):deleting node -1753974262 error FALSE reason "IKE deleted"

*Mar 11 08:50:43.341: ISAKMP:(3005):deleting node 49047803 error FALSE reason "IKE deleted"

*Mar 11 08:50:43.341: ISAKMP:(3005):deleting node 1355123061 error FALSE reason "IKE deleted"

*Mar 11 08:50:43.341: ISAKMP:(3005):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar 11 08:50:43.341: ISAKMP:(3005):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

*Mar 11 08:50:44.333: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down

*Mar 11 08:50:44.637: del_node src (ip_address):500 dst (ip-adreesss):500 fvrf 0x0, ivrf 0x0

*Mar 11 08:50:44.637: ISAKMP:(3005):peer does not do paranoid keepalives.

*Mar 11 08:50:44.637: ISAKMP:(0): SA request profile is (NULL)

*Mar 11 08:50:44.637: ISAKMP: Created a peer struct for (ip_address), peer port 500

*Mar 11 08:50:44.637: ISAKMP: New peer created peer = 0x8428F098 peer_handle = 0x80002A9D

*Mar 11 08:50:44.637: ISAKMP: Locking peer struct 0x8428F098, refcount 1 for isakmp_initiator

*Mar 11 08:50:44.637: ISAKMP:(0):Setting client config settings 83A4C2F4

*Mar 11 08:50:44.637: ISAKMP: local port 500, remote port 500

*Mar 11 08:50:44.637: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 83A4B344

*Mar 11 08:50:44.641: ISAKMP:(0): client mode configured.

*Mar 11 08:50:44.641: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Mar 11 08:50:44.641: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Mar 11 08:50:44.641: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Mar 11 08:50:44.641: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Mar 11 08:50:44.641: ISKAMP: growing send buffer from 1024 to 3072

*Mar 11 08:50:44.641: ISAKMP:(0):SA is doing pre-shared key authentication plus XAUTH using id type ID_KEY_ID

*Mar 11 08:50:44.641: ISAKMP (0:0): ID payload

        next-payload : 13

Federico Coto F... Mon, 05/17/2010 - 16:22

What is this interface used for on your scenario:  Virtual-Access2

Check your running-config

Federico.

Acruzgreg Tue, 05/18/2010 - 07:48

hi Federico,

In my config of ezvpn is the virtual-interface1

Regards

Federico Coto F... Tue, 05/18/2010 - 08:12

Angel,

Seems the connectivity is getting interrupted.

Can you confirm that Internet continue working fine from both the server and the client sides, when the VPN tunnel goes down?

Federico.

Federico Coto F... Tue, 05/18/2010 - 08:35

Angel,

Is this the only ezvpn client connecting to the ezvpn servers? Or do you have more clients, in that case are they failing as well?

Federico.

Federico Coto F... Tue, 05/18/2010 - 10:15

Angel,

What device is acting as the ezvpn server? ASA, router, etc?

Jus out of curiosity let me ask you something.... is any special reason why you're implementing an ezvpn connection instead than a regular site-to-site ipsec tunnel?

Federico.

Acruzgreg Tue, 05/18/2010 - 10:20

Federico,

My ezvpn server is one router cisco 2800 and my reason is that in ezvpn client have a router cisco 800 whit adsl and don´t have static ip public

regards

Federico Coto F... Tue, 05/18/2010 - 10:24

Angel,

If the only reason is because the 800 side does not have a static IP, you can try a dynamic-to-static IPsec tunnel. Take a look:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml

Anyway, ezvpn should work as well. I'm just wondering if you want to give the above configuration a try and see how does it goes.

Federico.

Actions

This Discussion