Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX to Watchguard Firewall 30 sec tunnel drops

Hello

I've configured a site to site VPN between a PIX and a Watchguard Firewall III.

The tunnel establishes but drops and forms a new one every 30 secs.

The Watchguard is set to

PI

SHA1-HMAC

3DES-CBC

DH Group 2

0KB

24 Hours

PII

ESP

SHA1-HMAC

3DES-CBC

0KB

8 Hours

But on the pix I can't set the Kb level to 0.

Im not sure if this is the cause but the deb below would indicate a timing issue somewhere.

I've tried defferent timings and settings on the Watchguard but to no avail, as well as different transform sets, any ideas appreciated

(key eng. msg.) dest= XXXX_Peer, src= YYY_Peer,

dest_proxy= 10.1.1.1/255.255.255.255/0/0 (type=1),

src_proxy= 20.1.1.1/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-sha-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0x22c7a303(583508739) for SA

from YYY_Peer to XXXX_Peer for prot 3

IPSEC(key_engine): got a queue event...

IPSEC(initialize_sas): ,

(key eng. msg.) dest= XXXX_Peer, src= YYY_Peer,

dest_proxy= 10.1.1.1/0.0.0.0/0/0 (type=1),

src_proxy= 20.1.1.1/0.0.0.0/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-sha-hmac ,

lifedur= 28800s and 0kb,

spi= 0x22c7a303(583508739), conn_id= 6, keysize= 0, flags= 0x4

IPSEC(initialize_sas): ,

(key eng. msg.) src= XXXX_Peer, dest= YYY_Peer,

src_proxy= 10.1.1.1/0.0.0.0/0/0 (type=1),

dest_proxy= 20.1.1.1/0.0.0.0/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-sha-hmac ,

lifedur= 28800s and 0kb,

spi= 0x4f371029(1329008681), conn_id= 5, keysize= 0, flags= 0x4

IPSEC(add_sa): peer asks for new SAs -- expire current in 30 sec.,

(sa) sa_dest= XXXX, sa_prot= 50,

sa_spi= 0x2646084e(642123854),

sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 40,

(identity) local= XXXX_Peer, remote= YYY_Peer,

local_proxy= 10.1.1.1/255.255.255.255/0/0 (type=1),

remote_proxy= 20.1.1.1/255.255.255.255/0/0 (type=1)

IPSEC(add_sa): peer asks for new SAs -- expire current in 30 sec.,

(sa) sa_dest= YYY_Peer, sa_prot= 50,

sa_spi= 0x4e37b670(1312274032),

sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 39,

(identity) local= XXXX_Peer, remote= YYY_Peer,

local_proxy= 10.1.1.1/255.255.255.255/0/0 (type=1),

remote_proxy= 20.1.1.1/255.255.255.255/0/0 (type=1)

144
Views
0
Helpful
0
Replies
CreatePlease login to create content