11-14-2011 05:41 AM - edited 02-21-2020 05:42 PM
Hello,
our customer unfortunately uses a Watchguard ;-( .
Finally we could establish a site-to-site vpn connection.
To test if the connection re-establish again, we cleared our vpn session by "clear crypto isakmp <session id>" and after that "clear crypto sa <ip address of the peer>"
After that, the session is down on our site, but the watchguard keeps the Phase I still up, either the deleting messages from our cisco are visible in the watchguard log files.
Watchguard helpdesk told us, that the messages are only seen as a deletion message for Phase II, therefore Watchguard keeps Phase I up and running.
Here you could see the cisco 7206 log messages aftre the clear commands:
: Nov 10 13:22:06.508 MEZ: IPSEC(delete_sa): deleting SA,
2011-11-10 13:22:06 Local7.Debug 649460013: : (sa) sa_dest= <local peer>, sa_proto= 50,
2011-11-10 13:22:06 Local7.Debug 649460014: : sa_spi= 0xEB0AE65A(3943360090),
2011-11-10 13:22:06 Local7.Debug 649460015: : sa_trans= esp-aes 192 esp-sha-hmac , sa_conn_id= 669,
2011-11-10 13:22:06 Local7.Debug 649460016: : (identity) local= <peer>, remote= <peer>
2011-11-10 13:22:06 Local7.Debug 649460017: : local_proxy= x.x.x.x (type=4),
2011-11-10 13:22:06 Local7.Debug 649460018: : remote_proxy= y.y.y.y (type=4)
2011-11-10 13:22:06 Local7.Debug 649460019: : 493859426: Nov 10 13:22:06.508 MEZ: IPSEC(update_current_outbound_sa): updated peer <remote peer> current outbound sa to SPI 0
2011-11-10 13:22:06 Local7.Debug 649460020: : 493859427: Nov 10 13:22:06.508 MEZ: IPSEC(delete_sa): deleting SA
2011-11-10 13:22:06 Local7.Debug 649460021: : ,
2011-11-10 13:22:06 Local7.Debug 649460022: : (sa) sa_dest= <remote peer>, sa_proto= 50,
2011-11-10 13:22:06 Local7.Debug 649460023: : sa_spi= 0x66BF924A(1723830858),
2011-11-10 13:22:06 Local7.Debug 649460024: : sa_trans= esp-aes 192 esp-sha-hmac , sa_conn_id= 670,
2011-11-10 13:22:06 Local7.Debug 649460025: : (identity) local= <peer>, remote= <peer>
2011-11-10 13:22:06 Local7.Debug 649460026: : local_proxy= x.x.x.x (type=4),
2011-11-10 13:22:06 Local7.Debug 649460027: : remote_proxy= y.y.y.y (type=4)
2011-11-10 13:22:06 Local7.Notice 649460028: : 493859428: Nov 10 13:22:06.508 MEZ: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer <remote peer>:500 Id: <remote peer> :
In my opinion, it looks ok and we do not have problems with other VPN devices with this kind of tests.
Does anybody know, what could be done that the watchguard deletes Phase I, too? Or that an explicit Phase I deletion message is created and sent by our cisco 7206?
Thank you.
11-22-2011 02:38 AM
Hi Martin,
if you do :
clear crypto isakmp
clear crypto ipsec
in that order, then you first delete phase 1 and afterwards phase 2. So I would expect quite the opposite result, i.e. I would expect the peer to not have a phase 1 SA anymore (because when we clear it, we send a delete) and to still have phase 2 (because we cannot send a delete for ph2 when ph1 is down).
I suggest getting the full output of "debug cry isakmp" and "debug crypto ipsec"), this should show what exactly is happening, what is sent, in particular whether or not the 7206 is sending a delete for phase 1.
hth
Herbert
11-22-2011 07:48 AM
Hi Herbert,
thanks for your reply. The above log entries are the complete entries for the clear crypto command.
Do you know how the Phase I deleting message should look like?
I thought this it is : Nov 10 13:22:06.508 MEZ: IPSEC(delete_sa): deleting SA
Kind regards.
Martin
11-22-2011 11:51 AM
Hi Martin,
it looks like you only had "debug crypto ipsec" enabled, not "debug crypto isakmp".
It's "debug crypto isakmp" that will show you what message are being sent (and received).
The "IPSEC(delete_sa): deleting SA" you see in the ipsec debugs just mean that we are deleting the SA, not that we are sending a delete notification.
hth
Herbert
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: