cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1231
Views
0
Helpful
2
Replies

QM FSM errors on remote access dialup VPN users

d-garnett
Level 3
Level 3

i have a remote access VPN user that is getting kicked off the VPN. The user has the Cisco VPN Client Software (Unity Client) installed. On the Concentrator the following errors are produced during IKE phase 2 SA negotiation, yet the connection is still allowed: QM FSM error & Received encrypted Oakley Quick Mode packet with invalid payloads. Here is phase 2.

172.16.1.123 Global (pseudo) IP address of remote dialup user

10.1.1.0 IP (pseudo) of internal subnet at main office

10.1.1.123 IP that Concentrator gives client (internal pool)

754 01/07/2003 11:44:09.140 SEV=5 IKE/25 RPT=255 172.16.1.123 (I-Net IP)

Group [Group1] User [user1]

Received remote Proxy Host data in ID Payload:

Address 10.1.1.123, Protocol 0, Port 0

757 01/07/2003 11:44:09.140 SEV=5 IKE/34 RPT=137 172.16.1.123

Group [Group1] User [user1]

Received local IP Proxy Subnet data in ID Payload:

Address 10.1.1.0, Mask 255.255.255.0, Protocol 0, Port 0

760 01/07/2003 11:44:09.140 SEV=5 IKE/66 RPT=255 172.16.1.123

Group [Group1] User [user1]

IKE Remote Peer configured for SA: ESP/IKE-3DES-MD5

762 01/07/2003 11:44:09.140 SEV=5 IKE/75 RPT=255 172.16.1.123

Group [Group1] User [user1]

Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds

764 01/07/2003 11:44:09.880 SEV=4 IKEDBG/0 RPT=5

QM FSM error (P2 struct &0x1c333e4, mess id 0x3bc007d4)!

765 01/07/2003 11:44:09.890 SEV=4 IKEDBG/0 RPT=6

QM FSM history (P2 struct &0x1c333e4):

[13, 52], [8, 5], [8, 65535], [4, 4]

<b>766 01/07/2003 11:44:09.890 SEV=4 IKE/100 RPT=2 172.16.1.123

Group [Group1] User [user1]

Received encrypted Oakley Quick Mode packet with invalid payloads,

MsgId (0x3bc007d4)</b>

771 01/07/2003 11:44:12.870 SEV=5 IKE/25 RPT=256 172.16.1.123

Address 135.102.1.176, Protocol 0, Port 0

Group [Group1] User [user1]

Received local IP Proxy Subnet data in ID Payload:

775 01/07/2003 11:44:12.870 SEV=5 IKE/66 RPT=256 172.16.1.123

Group [Group1] User [user1]

IKE Remote Peer configured for SA: ESP/IKE-3DES-MD5

777 01/07/2003 11:44:12.870 SEV=5 IKE/75 RPT=256 172.16.1.123

Group [Group1] User [user1]

Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds

779 01/07/2003 11:44:15.700 SEV=4 IKE/49 RPT=335 172.16.1.123

Group [Group1] User [user1]

Security negotiation complete for User (user1)

Responder, Inbound SPI = 0x245c3c2a, Outbound SPI = 0xe85ed5b0

782 01/07/2003 11:44:15.700 SEV=4 IKE/120 RPT=335 172.16.1.123

Group [Group1] User [user1]

PHASE 2 COMPLETED (msgid=693c1037)

Another user on the same Internet DHCP subnet (same ISP) had packet authentication failure earlier also (dumped the hash in event log). i am wondering if this is due to a crappy ISP connection.

2 Replies 2

jfrahim
Level 5
Level 5

There are a couple of reason why you should see these messages:

1) mismatched keys or certs used

2) A truncated pkt,

3) A non-conformant implementation,

4) A denial of service attack

If this is a persistant encryption problem with a known remote peer, then the preshared key or Digital Certificate being used should be checked. If the keys appear to be OK or not applicable, this may indicate a non-conformant IPSec implementation at the remote side. If the peer is not known, this may

indicate an attack and an appropriate filter should be installed (IKE data sourced from offending IP address). If the event is seen on an occasional basis, it may indicate a damaged packet. In this case, the Concentrator should ignore the packet and recover the tunnel.

Hope that helps

Jazib

the pre-shared keys match

non-conformant ipsec implementation at remote side: the linkup is Cisco VPN Client to 3005 Concentrator

remote peer is known

there have been more than a few damaged packets from dialup users (all on the same ISP) today alone. Workload is very heavy and the application is a poorly written database program running on Windows Terminal Services (server is running very badly - high CPU and memory use due to allocation in the program code).

one thing of notice

Monitoring | System Status

: the Outside interface of the Concentrator has recieved

Rx Broadcast - 80823

Tx Broadcast - 72

both recieved and transmitted unicast are in the 90000 range

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: