Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
640
Views
0
Helpful
3
Replies

Cisco VPN Client fails on Phase 2 rekey with VPN3K 3015

mshivdas
Level 1
Level 1

‎01-14-2004 11:30 AM - edited ‎02-21-2020 01:00 PM

I've got a weird problem that TAC hasn't been able solve.

Cisco VPN Client 4.0.2.A and 4.0.3.C both fail on phase 2 rekey against a VPN3K 3015 running 4.0.1.C. The initial connection works fine -- everything negotiates as it should.

This only seems to happen across cable modem connections -- not reproducible over a dialup connection and the TAC engineer says that he can't repro it.

Any ideas?

Server log:

43357 11/17/2003 07:59:32.560 SEV=5 IKEDBG/64 RPT=1683 <external ip address>

IKE Peer included IKE fragmentation capability flags:

Main Mode: True

Aggressive Mode: False

43359 11/17/2003 07:59:40.060 SEV=4 IKE/52 RPT=1394 <external ip address>

Group [Test-Group] User [username]

User (username) authenticated.

43360 11/17/2003 07:59:40.090 SEV=5 IKE/184 RPT=1392 <external ip address>

Group [Test-Group] User [username]

Client OS: WinNT

Client Application Version: 4.0.2 (A)

43362 11/17/2003 07:59:40.150 SEV=4 AUTH/22 RPT=1767

User [username], Group [Test-Group] connected

43363 11/17/2003 07:59:40.150 SEV=4 IKE/119 RPT=1775 <external ip address>

Group [Test-Group] User [username]

PHASE 1 COMPLETED

43364 11/17/2003 07:59:40.160 SEV=5 IKE/25 RPT=1487 <external ip address>

Group [Test-Group] User [username]

Received remote Proxy Host data in ID Payload:

Address <client assigned IP address>, Protocol 0, Port 0

43367 11/17/2003 07:59:40.160 SEV=5 IKE/34 RPT=13150 <external ip address>

Group [Test-Group] User [username]

Received local IP Proxy Subnet data in ID Payload:

Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0

43370 11/17/2003 07:59:40.160 SEV=5 IKE/66 RPT=14809 <external ip address>

Group [Test-Group] User [username]

IKE Remote Peer configured for SA: CVC-Test-AES256-SHA-DH2-90lifetime

43372 11/17/2003 07:59:40.300 SEV=5 IKE/75 RPT=1483 <external ip address>

Group [Test-Group] User [username]

Overriding Initiator's IPSec rekeying duration from 2147483 to 90 seconds

43374 11/17/2003 07:59:40.340 SEV=4 IKE/49 RPT=15729 <external ip address>

Group [Test-Group] User [username]

Security negotiation complete for User (username)

Responder, Inbound SPI = 0x475b80df, Outbound SPI = 0xfec43b25

43377 11/17/2003 07:59:40.340 SEV=4 IKE/120 RPT=3140 <external ip address>

Group [Test-Group] User [username]

PHASE 2 COMPLETED (msgid=67642acd)

- Connected at this point

43378 11/17/2003 08:01:05.840 SEV=4 IKE/41 RPT=2079

IKE Initiator: Rekeying Phase 2, Intf 2, IKE Peer <external ip address>

local Proxy Address 0.0.0.0, remote Proxy Address <client assigned IP address>,

SA (CVC-Test-AES256-SHA-DH2-90lifetime)

- Goes into rekeying

43381 11/17/2003 08:01:37.910 SEV=4 IKEDBG/0 RPT=24

QM FSM error (P2 struct &0x755c5ac, mess id 0x83639001)!

- Rekey fails

43382 11/17/2003 08:01:37.910 SEV=5 IKE/194 RPT=1412 <external ip address>

Group [Test-Group] User [username]

Sending IKE Delete With Reason message: No Reason Provided.

43384 11/17/2003 08:01:37.910 SEV=4 AUTH/28 RPT=1385 <external ip address>

User [username], Group [Test-Group] disconnected:

Duration: 0:01:57

Bytes xmt: 131472

Bytes rcv: 76304

Reason: Unknown

Excerpt from client log:

68 07:59:57.900 11/17/03 Sev=Info/4 CM/0x63100038

Address watch added for <client assigned ip address>. Current address(es): <client assigned ip address>, <client real ip address>, 192.168.0.1, 192.168.237.1.

69 07:59:58.371 11/17/03 Sev=Info/4 IPSEC/0x63700010

Created a new key structure

70 07:59:58.561 11/17/03 Sev=Info/4 IPSEC/0x6370000F

Added key with SPI=0xdf805b47 into key list

71 07:59:58.561 11/17/03 Sev=Info/4 IPSEC/0x63700010

Created a new key structure

72 07:59:58.561 11/17/03 Sev=Info/4 IPSEC/0x6370000F

Added key with SPI=0x253bc4fe into key list

73 07:59:58.561 11/17/03 Sev=Info/4 IPSEC/0x6370002E

Assigned VA private interface addr <client assigned ip address>

74 08:00:00.364 11/17/03 Sev=Info/4 IPSEC/0x63700019

Activate outbound key with SPI=0xdf805b47 for inbound key with SPI=0x253bc4fe

84 08:00:53.454 11/17/03 Sev=Info/4 IPSEC/0x6370000E

Key with outbound SPI=0xdf805b47 is about to expire, requesting a new one

86 08:01:11.511 11/17/03 Sev=Info/4 IPSEC/0x63700011

Key Expired SPI=0x253bc4fe

87 08:01:11.511 11/17/03 Sev=Info/4 IPSEC/0x63700013

Delete internal key with SPI=0x253bc4fe

88 08:01:11.511 11/17/03 Sev=Info/4 IPSEC/0x63700011

Key Expired SPI=0xdf805b47

89 08:01:11.511 11/17/03 Sev=Info/4 IPSEC/0x63700013

Delete internal key with SPI=0xdf805b47

90 08:01:11.511 11/17/03 Sev=Info/4 IPSEC/0x63700010

Created a new key structure

91 08:01:31.552 11/17/03 Sev=Info/4 IPSEC/0x63700011

Key Expired SPI=0x00000000

92 08:01:31.552 11/17/03 Sev=Info/4 IPSEC/0x63700013

Delete internal key with SPI=0x00000000

93 08:01:31.552 11/17/03 Sev=Info/4 IPSEC/0x63700010

Created a new key structure

95 08:01:52.595 11/17/03 Sev=Info/4 IPSEC/0x63700011

Key Expired SPI=0x00000000

96 08:01:52.595 11/17/03 Sev=Info/4 IPSEC/0x63700013

Delete internal key with SPI=0x00000000

97 08:01:52.595 11/17/03 Sev=Info/4 IPSEC/0x63700010

Created a new key structure

99 08:02:10.632 11/17/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to <VPN3K external address>

100 08:02:10.632 11/17/03 Sev=Info/5 IKE/0x63000018

Deleting IPsec SA: (OUTBOUND SPI = 475B80DF INBOUND SPI = FEC43B25)

101 08:02:10.632 11/17/03 Sev=Info/4 IKE/0x63000048

Discarding IPsec SA negotiation, MsgID=67642ACD

102 08:02:12.636 11/17/03 Sev=Info/4 IPSEC/0x63700011

Key Expired SPI=0x00000000

103 08:02:12.636 11/17/03 Sev=Info/4 IPSEC/0x63700013

Delete internal key with SPI=0x00000000

104 08:02:12.636 11/17/03 Sev=Info/4 IPSEC/0x63700010

Created a new key structure

105 08:02:34.180 11/17/03 Sev=Info/4 IPSEC/0x63700011

Key Expired SPI=0x00000000

106 08:02:34.180 11/17/03 Sev=Info/4 IPSEC/0x63700013

Delete internal key with SPI=0x00000000

107 08:02:34.180 11/17/03 Sev=Info/4 IPSEC/0x63700010

Created a new key structure

108 08:02:55.222 11/17/03 Sev=Info/4 IPSEC/0x63700011

Key Expired SPI=0x00000000

109 08:02:55.222 11/17/03 Sev=Info/4 IPSEC/0x63700013

Delete internal key with SPI=0x00000000

110 08:02:55.222 11/17/03 Sev=Info/4 IPSEC/0x63700010

Created a new key structure

111 08:03:19.271 11/17/03 Sev=Info/4 IPSEC/0x63700011

Key Expired SPI=0x00000000

112 08:03:19.271 11/17/03 Sev=Info/4 IPSEC/0x63700013

Delete internal key with SPI=0x00000000

113 08:03:19.271 11/17/03 Sev=Info/4 IPSEC/0x63700010

Created a new key structure

114 08:03:42.318 11/17/03 Sev=Info/4 IPSEC/0x63700011

Key Expired SPI=0x00000000

115 08:03:42.318 11/17/03 Sev=Info/4 IPSEC/0x63700013

Delete internal key with SPI=0x00000000

116 08:03:42.318 11/17/03 Sev=Info/4 IPSEC/0x63700010

Created a new key structure

118 08:03:52.339 11/17/03 Sev=Info/4 CM/0x6310000A

Secure connections terminated

119 08:03:52.339 11/17/03 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

120 08:03:52.339 11/17/03 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=894EC82823B4BA7F R_Cookie=E5E768A8AF516A7E) reason = DEL_REASON_RESET_SADB

Labels:
0 Helpful
3 Replies 3

drolemc
Level 6
Level 6

‎01-20-2004 06:26 AM

Please see bug CSCeb40034, Client terminates connection prematurely during rekey. The workaround is to upgrade to a version in which the behaviour has been fixed.

0 Helpful

mshivdas
Level 1
Level 1
In response to drolemc

‎01-20-2004 06:50 AM

Been there, done that. I know that the logs I posted show version 4.0.2(A) of the client, but I'm currently using 4.0.3(C) and I see the same behaviour.

0 Helpful

deloitteuser
Level 1
Level 1
In response to mshivdas

‎03-01-2004 11:45 AM

I have one user experiencing the same issue. Here's the log from his client while using a cable modem on Roger's:

184 18:52:44.514 02/29/04 Sev=Info/5 IKE/0x6300003F

Received DPD ACK from

, seq# received = 1104628957, seq# expected = 1104628957

185 18:52:45.296 02/29/04 Sev=Info/4 CM/0x6310000A

Secure connections terminated

186 18:52:45.326 02/29/04 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

187 18:52:45.656 02/29/04 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to

188 18:52:45.666 02/29/04 Sev=Info/5 IKE/0x63000018

Deleting IPsec SA: (OUTBOUND SPI = F91D6E9 INBOUND SPI = 86805DB4)

189 18:52:45.666 02/29/04 Sev=Info/4 IKE/0x63000048

Discarding IPsec SA negotiation, MsgID=D52E0CB5

190 18:52:45.666 02/29/04 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=02F379678C14D2B4 R_Cookie=7831820145D6F76D) reason = DEL_REASON_RESET_SADB

191 18:52:45.666 02/29/04 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to

192 18:52:45.666 02/29/04 Sev=Info/4 IKE/0x6300004A

Discarding IKE SA negotiation (I_Cookie=02F379678C14D2B4 R_Cookie=7831820145D6F76D) reason = DEL_REASON_RESET_SADB

193 18:52:45.696 02/29/04 Sev=Info/4 CM/0x63100013

Phase 1 SA deleted cause by DEL_REASON_RESET_SADB. 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

Not sure what causes this error. Client ver is 4.0.3 (Rel). Happens often.

Thanks,

Terinia

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents