Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
772
Views
0
Helpful
5
Replies

RV 120W drops IPSEC

nicholasloecke
Level 1
Level 1

‎07-23-2013 09:13 AM

Hello we have several RV120 firewalls in the field.

This unit happens to drop the IPSEC site-to-site VPN about every day.

The button to Drop the connection does nothing.  We have to disable the VPN policy, save, then re-enable and save again.  Then the VPN connects right up.

The firewall on the other end is a PIX 515.

I can provide logs if necessary.

Thank you

1 person had this problem
Labels:
0 Helpful
5 Replies 5

jeffrrod
Level 4
Level 4

‎07-23-2013 10:22 AM

Dear Nicholas,

Thank you for reaching Small Business Support Community.

I would first suggest you to make sure you are running the latest firmware release version on your RV120 routers; v1.0.4.10;

http://software.cisco.com/download/release.html?mdfid=282981372&softwareid=282487380&release=1.0.4.10&relind=AVAILABLE&rellifecycle=&reltype=latest

I then suggest you to check on a couple of the IPSEC> Advanced VPN settings on the RV120;

- IKE Policies: Exchange Mode; use “Main” and not ‘Aggressive”

- VPN Policy: if Auto policy, disable PFS Key Group (Perfect Forward Secrecy)

If either the Local or Remote identifier type is not an IP address, then negotiation is only possible in Aggressive Mode.

Specify a lower authentication algorithm, for example if you are using SHA2-512 try SHA-1 or SHA2-256, same with the Diffie-Hellman (DH) Group algorithm. (Ensure it is configured identically on both sides of the IKE policy)

Please check this out and let me know if there is any further assistance I may help you with.

Kind regards,

Jeffrey Rodriguez S. .:|:.:|:.
Cisco Customer Support Engineer

*Please rate the Post so other will know when an answer has been found.

Jeffrey Rodriguez S. .:|:.:|:. Cisco Customer Support Engineer *Please rate the Post so other will know when an answer has been found.
0 Helpful

nicholasloecke
Level 1
Level 1
In response to jeffrrod

‎07-25-2013 05:55 AM

Hello Jeffrey -

Thank you for the response.

Before deploying this router, I did confirm the firmware was current.

Per your instructions, I cleared the check for "PFS Key Group" a couple days ago.  This change seemed to help for that afternoon, but again the next day, the VPN did not stay connected.

This morning, in both the IKE and VPN policies, I changed the encryption and authentication from 3DES / MD5 to DES / SHA1.  On the PIX FIrewall at the other end, the Transform-set was changed accordngly for this connection.  I had to manually connect the VPN because there are no users to generate traffic, but it connected right away.

We will monitor the connection through the day today and inform you of the results.

Thanks again

Nick

0 Helpful

nicholasloecke
Level 1
Level 1
In response to nicholasloecke

‎07-25-2013 02:05 PM

Hello again -

After my changes this morning, the VPN just dropped.  It was almost exactly 8 hours since the connection was started, which I think is interesting.

Here is a snippett of the log from the RV120:

2013-07-25 07:48:26: [rv120w][IKE] INFO:  IPsec-SA established: ESP/Tunnel 199.188.65.227->64.199.243.254 with spi=712377358(0x2a76040e)

2013-07-25 15:47:37: [rv120w][IKE] ERROR:  Unknown notify message from 64.199.243.254[500].No phase2 handle found.

You can see the connection established this morning, no log activity for 8 hours, then the error when the VPN goes down.  I had to again manually drop the connection.  It then connected the VPN again right away.

Please let me know if you would like to see any of the PIX configuration.

Thanks

Nick

0 Helpful

jeffrrod
Level 4
Level 4
In response to nicholasloecke

‎07-26-2013 02:07 PM

Hello Nicholas,

I am sorry to hear the problem persists.  I suggest you to contact the Small Business Support Center;

https://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html

I wish I could  be a better help but after trying what I already suggested all I can advise you is to contact this tech support line so they can double check on the configurations and determine the source of the problem in a timely manner.

Please do not hesitate to reach me back if there is anything I can help you with in the meantime.

Thanks again,

Jeffrey Rodriguez S. .:|:.:|:.
Cisco Customer Support Engineer

*Please rate the Post so other will know when an answer has been found.

Jeffrey Rodriguez S. .:|:.:|:. Cisco Customer Support Engineer *Please rate the Post so other will know when an answer has been found.
0 Helpful

nicholasloecke
Level 1
Level 1
In response to jeffrrod

‎07-31-2013 01:50 PM

Hello Jeff and anyone else reading...

I opened a case with Small Business Support.  That was a waste of time.  Mostly because Small Business knows nothing about PIX configuration, specifically how it relates to the VPN.

We changed several minor settings ont he RV120 but they would not have the same results.  So finally I replaced the RV120 with a new unit and upgraded the firmware.  Also removed and re-created teh VPN settings on my PIX firewall.  It has not lost connection since.

So I don't iknow if it was the RV120 or the PIX, but the same settings have been in the PIX for 18 months before the RV120 was even installed.  Previously it was a WRV210.

Thanks

Nick

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents