Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Cisco 7206VXR and Watchguard

Hello,

our customer unfortunately uses a Watchguard ;-( .

Finally we could establish a site-to-site vpn connection.

To test if the connection re-establish again, we cleared our vpn session by "clear crypto isakmp <session id>" and after that "clear crypto sa <ip address of the peer>"

After that, the session  is down on our site, but the watchguard keeps the Phase I still up, either the deleting messages from our cisco are visible in the watchguard log files.

Watchguard helpdesk told us, that the messages are only seen as a deletion message for Phase II, therefore Watchguard keeps Phase I up and running.

Here you could see the cisco 7206 log messages aftre the clear commands:

: Nov 10 13:22:06.508 MEZ: IPSEC(delete_sa): deleting SA,

2011-11-10 13:22:06 Local7.Debug   649460013:  :   (sa) sa_dest= <local peer>, sa_proto= 50,

2011-11-10 13:22:06 Local7.Debug   649460014:  :     sa_spi= 0xEB0AE65A(3943360090),

2011-11-10 13:22:06 Local7.Debug   649460015:  :     sa_trans= esp-aes 192 esp-sha-hmac , sa_conn_id= 669,

2011-11-10 13:22:06 Local7.Debug   649460016:  :   (identity) local= <peer>, remote= <peer>

2011-11-10 13:22:06 Local7.Debug   649460017:  :     local_proxy= x.x.x.x (type=4),

2011-11-10 13:22:06 Local7.Debug   649460018:  :     remote_proxy= y.y.y.y (type=4)

2011-11-10 13:22:06 Local7.Debug   649460019:  : 493859426: Nov 10 13:22:06.508 MEZ: IPSEC(update_current_outbound_sa): updated peer <remote peer> current outbound sa to SPI 0

2011-11-10 13:22:06 Local7.Debug   649460020:  : 493859427: Nov 10 13:22:06.508 MEZ: IPSEC(delete_sa): deleting SA

2011-11-10 13:22:06 Local7.Debug   649460021:  : ,

2011-11-10 13:22:06 Local7.Debug   649460022:  :   (sa) sa_dest= <remote peer>, sa_proto= 50,

2011-11-10 13:22:06 Local7.Debug   649460023:  :     sa_spi= 0x66BF924A(1723830858),

2011-11-10 13:22:06 Local7.Debug   649460024:  :     sa_trans= esp-aes 192 esp-sha-hmac , sa_conn_id= 670,

2011-11-10 13:22:06 Local7.Debug   649460025:  :   (identity) local= <peer>, remote= <peer>

2011-11-10 13:22:06 Local7.Debug   649460026:  :     local_proxy= x.x.x.x (type=4),

2011-11-10 13:22:06 Local7.Debug   649460027:  :     remote_proxy= y.y.y.y (type=4)

2011-11-10 13:22:06 Local7.Notice   649460028:  : 493859428: Nov 10 13:22:06.508 MEZ: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN.  Peer <remote peer>:500       Id: <remote peer> :

In my opinion, it looks ok and we do not have problems with other VPN devices with this kind of tests.

Does anybody know, what could be done that the watchguard deletes Phase I, too? Or that an explicit Phase I deletion message is created and sent by our cisco 7206?

Thank you.

3 REPLIES
Cisco Employee

VPN Cisco 7206VXR and Watchguard

Hi Martin,

if you do :

clear crypto isakmp

clear crypto ipsec

in that order, then you first delete phase 1 and afterwards phase 2. So I would expect quite the opposite result, i.e. I would expect the peer to not have a phase 1 SA anymore (because when we clear it, we send a delete) and to still have phase 2 (because we cannot send a delete for ph2 when ph1 is down).

I suggest getting the full output of "debug cry isakmp" and "debug crypto ipsec"), this should show what exactly is happening, what is sent, in particular whether or not the 7206 is sending a delete for phase 1.

hth

Herbert

New Member

VPN Cisco 7206VXR and Watchguard

Hi Herbert,

thanks for your reply. The above log entries are the complete entries for the clear crypto command.

Do you know how the Phase I deleting message should look like?

I thought this it is : Nov 10 13:22:06.508 MEZ: IPSEC(delete_sa): deleting SA

Kind regards.

Martin

Cisco Employee

VPN Cisco 7206VXR and Watchguard

Hi Martin,

it looks like you only had "debug crypto ipsec" enabled, not "debug crypto isakmp".

It's "debug crypto isakmp" that will show you what message are being sent (and received).

The "IPSEC(delete_sa): deleting SA" you see in the ipsec debugs just mean that we are deleting the SA, not that we are sending a delete notification.

hth

Herbert

843
Views
0
Helpful
3
Replies