Greetings we are running a Cisco ASA 5510 with 8.0.3(19) code and have several site to site vpn connections for various partner access.
One partner is using a Watchguard x550e, the site to site tunnel is configured as follows:
IKE Phase 1: 3Des/Sha/DH Group 2
IKE Phase 2: 3Des/Sha/DH Group 2
IKE is using aggressive mode and PFS has been disabled.
The VPN establishes just fine and stays up for the set SA Lifetime being the default of 8 hours, but when the 8 hour limit is reached the VPN drops out and cannot re-key and re-establish the connection, in order to get the connection back up the link has to be torn down at one end and re-created manually.
This is what happens after the 8 hour period.
Group = 18.104.22.168, IP = 22.214.171.124, Received non-routine Notify message: Payload malformed (16)
Group = 126.96.36.199, IP = 188.8.131.52, De-queuing KEY-ACQUIRE messages that were left pending.
IP = 184.108.40.206, Keep-alives configured on but peer does not support keep-alives (type = None)
Group = 220.127.116.11, IP = 18.104.22.168, PHASE 1 COMPLETED
AAA retrieved default group policy (DfltGrpPolicy) for user = 22.214.171.124
Group = 126.96.36.199, IP = 188.8.131.52, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
IP = 184.108.40.206, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
IP = 220.127.116.11, IKE Initiator: New Phase 1, Intf inside, IKE Peer 18.104.22.168 local Proxy Address 172.18.17.0, remote Proxy Address 192.168.0.0, Crypto map (OutsideMap)
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...