Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Cisco ASA and Watchguard VPN SA Re-Key Errors

Greetings we are running a Cisco ASA 5510 with 8.0.3(19) code and have several site to site vpn connections for various partner access.

One partner is using a Watchguard x550e, the site to site tunnel is configured as follows:

IKE Phase 1: 3Des/Sha/DH Group 2

IKE Phase 2: 3Des/Sha/DH Group 2

IKE is using aggressive mode and PFS has been disabled.

The VPN establishes just fine and stays up for the set SA Lifetime being the default of 8 hours, but when the 8 hour limit is reached the VPN drops out and cannot re-key and re-establish the connection, in order to get the connection back up the link has to be torn down at one end and re-created manually.

This is what happens after the 8 hour period.

Group = 77.61.115.51, IP = 77.61.115.51, Received non-routine Notify message: Payload malformed (16)

Group = 77.61.115.51, IP = 77.61.115.51, De-queuing KEY-ACQUIRE messages that were left pending.

IP = 77.61.115.51, Keep-alives configured on but peer does not support keep-alives (type = None)

Group = 77.61.115.51, IP = 77.61.115.51, PHASE 1 COMPLETED

AAA retrieved default group policy (DfltGrpPolicy) for user = 77.61.115.51

Group = 77.61.115.51, IP = 77.61.115.51, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device

IP = 77.61.115.51, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

IP = 77.61.115.51, IKE Initiator: New Phase 1, Intf inside, IKE Peer 77.61.115.51 local Proxy Address 172.18.17.0, remote Proxy Address 192.168.0.0, Crypto map (OutsideMap)

Group = 77.61.115.51, Username = 77.61.115.51, IP = 77.61.115.51, Session disconnected. Session Type: IKE, Duration: 0h:00m:32s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Error

Group = 77.61.115.51, IP = 77.61.115.51, Removing peer from correlator table failed, no match!

Group = 77.61.115.51, IP = 77.61.115.51, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

Group = 77.61.115.51, IP = 77.61.115.51, QM FSM error (P2 struct &0xd8e9a790, mess id 0x16ee7a8c)!

Would anyone have any suggestions as to what the cause might be?

Regards

2 REPLIES

Re: Cisco ASA and Watchguard VPN SA Re-Key Errors

Hi,

There are two SA lifetimes: for Phase1 and for Phase2.

Both should match on both ends.

IKE lifetime:

crypto isakmp policy 10

lifetime 86400

IPSEC lifetime:

crypto map VPN 10 set security-association lifetime seconds 28800

Also, you should configure the main mode instead of aggressive:

crypto map VPN 10 set phase1-mode main

Please rate if this helped.

Regards,

Daniel

Community Member

Re: Cisco ASA and Watchguard VPN SA Re-Key Errors

Cheers ill try the changes and see if it helps.

Regards

3131
Views
0
Helpful
2
Replies
CreatePlease to create content