VPN Cisco 7206VXR and Watchguard

m.feuerer · ‎11-14-2011

Hello,

our customer unfortunately uses a Watchguard ;-( .

Finally we could establish a site-to-site vpn connection.

To test if the connection re-establish again, we cleared our vpn session by "clear crypto isakmp <session id>" and after that "clear crypto sa <ip address of the peer>"

After that, the session is down on our site, but the watchguard keeps the Phase I still up, either the deleting messages from our cisco are visible in the watchguard log files.

Watchguard helpdesk told us, that the messages are only seen as a deletion message for Phase II, therefore Watchguard keeps Phase I up and running.

Here you could see the cisco 7206 log messages aftre the clear commands:

: Nov 10 13:22:06.508 MEZ: IPSEC(delete_sa): deleting SA,

2011-11-10 13:22:06 Local7.Debug 649460013: : (sa) sa_dest= <local peer>, sa_proto= 50,

2011-11-10 13:22:06 Local7.Debug 649460014: : sa_spi= 0xEB0AE65A(3943360090),

2011-11-10 13:22:06 Local7.Debug 649460015: : sa_trans= esp-aes 192 esp-sha-hmac , sa_conn_id= 669,

2011-11-10 13:22:06 Local7.Debug 649460016: : (identity) local= <peer>, remote= <peer>

2011-11-10 13:22:06 Local7.Debug 649460017: : local_proxy= x.x.x.x (type=4),

2011-11-10 13:22:06 Local7.Debug 649460018: : remote_proxy= y.y.y.y (type=4)

2011-11-10 13:22:06 Local7.Debug 649460019: : 493859426: Nov 10 13:22:06.508 MEZ: IPSEC(update_current_outbound_sa): updated peer <remote peer> current outbound sa to SPI 0

2011-11-10 13:22:06 Local7.Debug 649460020: : 493859427: Nov 10 13:22:06.508 MEZ: IPSEC(delete_sa): deleting SA

2011-11-10 13:22:06 Local7.Debug 649460021: : ,

2011-11-10 13:22:06 Local7.Debug 649460022: : (sa) sa_dest= <remote peer>, sa_proto= 50,

2011-11-10 13:22:06 Local7.Debug 649460023: : sa_spi= 0x66BF924A(1723830858),

2011-11-10 13:22:06 Local7.Debug 649460024: : sa_trans= esp-aes 192 esp-sha-hmac , sa_conn_id= 670,

2011-11-10 13:22:06 Local7.Debug 649460025: : (identity) local= <peer>, remote= <peer>

2011-11-10 13:22:06 Local7.Debug 649460026: : local_proxy= x.x.x.x (type=4),

2011-11-10 13:22:06 Local7.Debug 649460027: : remote_proxy= y.y.y.y (type=4)

2011-11-10 13:22:06 Local7.Notice 649460028: : 493859428: Nov 10 13:22:06.508 MEZ: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer <remote peer>:500 Id: <remote peer> :

In my opinion, it looks ok and we do not have problems with other VPN devices with this kind of tests.

Does anybody know, what could be done that the watchguard deletes Phase I, too? Or that an explicit Phase I deletion message is created and sent by our cisco 7206?

Thank you.

Herbert Baerten · ‎11-22-2011

Hi Martin,

if you do :

clear crypto isakmp

clear crypto ipsec

in that order, then you first delete phase 1 and afterwards phase 2. So I would expect quite the opposite result, i.e. I would expect the peer to not have a phase 1 SA anymore (because when we clear it, we send a delete) and to still have phase 2 (because we cannot send a delete for ph2 when ph1 is down).

I suggest getting the full output of "debug cry isakmp" and "debug crypto ipsec"), this should show what exactly is happening, what is sent, in particular whether or not the 7206 is sending a delete for phase 1.

hth

Herbert

m.feuerer · ‎11-22-2011

Hi Herbert,

thanks for your reply. The above log entries are the complete entries for the clear crypto command.

Do you know how the Phase I deleting message should look like?

I thought this it is : Nov 10 13:22:06.508 MEZ: IPSEC(delete_sa): deleting SA

Kind regards.

Martin

Herbert Baerten · ‎11-22-2011

Hi Martin,

it looks like you only had "debug crypto ipsec" enabled, not "debug crypto isakmp".

It's "debug crypto isakmp" that will show you what message are being sent (and received).

The "IPSEC(delete_sa): deleting SA" you see in the ipsec debugs just mean that we are deleting the SA, not that we are sending a delete notification.

hth

Herbert