×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Tunnel VPN Failed after x hours.

Unanswered Question
Oct 6th, 2014
User Badges:

Hi,

 

I've build a VPN tunnel between 1 Fixed IP (ASA 5510) and 1 dynamic IP (ASA5505) through internet.

The 5505 is  in aggressive mode and the tunnel's up after a firewall restart.

 

When my connection restart. Each 48 hours, the VPN can't rebuild it.

On the responder site, I can see the stat: AM_WAIT_MSG3.

If I restart the initiator site, the tunnel will be up.

 

Do you have any idea?

 

Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nicolas Coppee Mon, 10/06/2014 - 03:36
User Badges:

Bellow, the debug content.

ASA1(config)# Oct 06 03:51:39 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, IKE AM Responder FSM error history (struct &0xae866c60)  <state>, <event>:  AM_DONE, EV_ERROR-->AM_WAIT_MSG3, EV_PROB_AUTH_FAIL-->AM_WAIT_MSG3, EV_TIMEOUT-->AM_WAIT_MSG3, NullEvent-->AM_SND_MSG2, EV_CHECK_SPOOF-->AM_SND_MSG2, EV_CRYPTO_ACTIVE-->AM_SND_MSG2, EV_SND_MSG-->AM_SND_MSG2, EV_START_TMR
Oct 06 03:51:39 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, IKE SA AM:df8a59fc terminating:  flags 0x0100c001, refcnt 0, tuncnt 0
Oct 06 03:51:39 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, sending delete/delete with reason message
Oct 06 03:51:39 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, constructing blank hash payload
Oct 06 03:51:39 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, constructing IKE delete payload
Oct 06 03:51:39 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, constructing qm hash payload
Oct 06 03:51:39 [IKEv1]IP = 109.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=bc3fcebd) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Oct 06 03:52:11 [IKEv1]IP = 109.xxx.xxx.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 450
Oct 06 03:52:11 [IKEv1 DEBUG]IP = 109.xxx.xxx.xxx, processing SA payload
Oct 06 03:52:11 [IKEv1 DEBUG]IP = 109.xxx.xxx.xxx, processing ke payload
Oct 06 03:52:11 [IKEv1 DEBUG]IP = 109.xxx.xxx.xxx, processing ISA_KE payload
Oct 06 03:52:11 [IKEv1 DEBUG]IP = 109.xxx.xxx.xxx, processing nonce payload
Oct 06 03:52:11 [IKEv1 DEBUG]IP = 109.xxx.xxx.xxx, processing ID payload
Oct 06 03:52:11 [IKEv1 DECODE]IP = 109.xxx.xxx.xxx, ID_FQDN ID received, len 6
0000: 434F4743 494E                           COGCIN


Oct 06 03:52:11 [IKEv1 DEBUG]IP = 109.xxx.xxx.xxx, processing VID payload
Oct 06 03:52:11 [IKEv1 DEBUG]IP = 109.xxx.xxx.xxx, Received Cisco Unity client VID
Oct 06 03:52:11 [IKEv1 DEBUG]IP = 109.xxx.xxx.xxx, processing VID payload
Oct 06 03:52:11 [IKEv1 DEBUG]IP = 109.xxx.xxx.xxx, Received xauth V6 VID
Oct 06 03:52:11 [IKEv1 DEBUG]IP = 109.xxx.xxx.xxx, processing VID payload
Oct 06 03:52:11 [IKEv1 DEBUG]IP = 109.xxx.xxx.xxx, Received NAT-Traversal ver 02 VID
Oct 06 03:52:11 [IKEv1 DEBUG]IP = 109.xxx.xxx.xxx, processing VID payload
Oct 06 03:52:11 [IKEv1 DEBUG]IP = 109.xxx.xxx.xxx, Received NAT-Traversal ver 03 VID
Oct 06 03:52:11 [IKEv1 DEBUG]IP = 109.xxx.xxx.xxx, processing VID payload
Oct 06 03:52:11 [IKEv1 DEBUG]IP = 109.xxx.xxx.xxx, Received NAT-Traversal RFC VID
Oct 06 03:52:11 [IKEv1 DEBUG]IP = 109.xxx.xxx.xxx, processing VID payload
Oct 06 03:52:11 [IKEv1 DEBUG]IP = 109.xxx.xxx.xxx, Received Fragmentation VID
Oct 06 03:52:11 [IKEv1 DEBUG]IP = 109.xxx.xxx.xxx, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
Oct 06 03:52:11 [IKEv1]IP = 109.xxx.xxx.xxx, Connection landed on tunnel_group COGCIN
Oct 06 03:52:11 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, processing IKE SA payload
Oct 06 03:52:11 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, IKE SA Proposal # 1, Transform # 2 acceptable  Matches global IKE entry # 6
Oct 06 03:52:11 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, constructing ISAKMP SA payload
Oct 06 03:52:11 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, constructing ke payload
Oct 06 03:52:11 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, constructing nonce payload
Oct 06 03:52:11 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, Generating keys for Responder...
Oct 06 03:52:11 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, constructing ID payload
Oct 06 03:52:11 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, constructing hash payload
Oct 06 03:52:11 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, Computing hash for ISAKMP
Oct 06 03:52:11 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, constructing Cisco Unity VID payload
Oct 06 03:52:11 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, constructing xauth V6 VID payload
Oct 06 03:52:11 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, constructing dpd vid payload
Oct 06 03:52:11 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, constructing NAT-Traversal VID ver RFC payload
Oct 06 03:52:11 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, constructing NAT-Discovery payload
Oct 06 03:52:11 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, computing NAT Discovery hash
Oct 06 03:52:11 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, constructing NAT-Discovery payload
Oct 06 03:52:11 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, computing NAT Discovery hash
Oct 06 03:52:11 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, constructing Fragmentation VID + extended capabilities payload
Oct 06 03:52:11 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, Send IOS VID
Oct 06 03:52:11 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 00000408)
Oct 06 03:52:11 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, constructing VID payload
Oct 06 03:52:11 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Oct 06 03:52:11 [IKEv1]IP = 109.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 456
Oct 06 03:52:43 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, IKE AM Responder FSM error history (struct &0xae866c60)  <state>, <event>:  AM_DONE, EV_ERROR-->AM_WAIT_MSG3, EV_PROB_AUTH_FAIL-->AM_WAIT_MSG3, EV_TIMEOUT-->AM_WAIT_MSG3, NullEvent-->AM_SND_MSG2, EV_CHECK_SPOOF-->AM_SND_MSG2, EV_CRYPTO_ACTIVE-->AM_SND_MSG2, EV_SND_MSG-->AM_SND_MSG2, EV_START_TMR
Oct 06 03:52:43 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, IKE SA AM:cd485bd4 terminating:  flags 0x0100c001, refcnt 0, tuncnt 0
Oct 06 03:52:43 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, sending delete/delete with reason message
Oct 06 03:52:43 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, constructing blank hash payload
Oct 06 03:52:43 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, constructing IKE delete payload
Oct 06 03:52:43 [IKEv1 DEBUG]Group = COGCIN, IP = 109.xxx.xxx.xxx, constructing qm hash payload
Oct 06 03:52:43 [IKEv1]IP = 109.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=7fa9b0b2) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

Actions

This Discussion