cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3805
Views
10
Helpful
6
Replies

RVS4000/ASA IPSec Tunnels

DigbyCunningham
Level 1
Level 1

We have an ASA as a central hub in an IPSec VPN community, with four RVS4000 branch office routers connecting into it.

Setting up the VPN tunnels worked fine, except after a while the tunnels seem to disconnect all by themselves, and they will not reconnect. Browsing the ASA's logs we get:

   

    IP = xx.yy.zz.aa, Received encrypted packet with no matching SA, dropping     (where xx.yy.zz.aa is the remote peer)

and on the RVS side we get:

     [VPN Log]: "TIMB-ELMS" #10: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
If I restart the RVS4000, the VPN connects just fine. If I let it sit for a while (like an hour or so) and hit connect, it connects just fine as well. Furthermore, if I enter the configuration screen for the VPN tunnel on the RVS, and hit SAVE (make no changes) it also connects. Just over time it seems to disconnect, and will not reconnect without a restart.
FYI: There are RVS<=>RVS tunnels in place as well, and they stay up just fine ... it is just the connections to the ASA that seem to drop and not want to reconnect.
Can anyone enlighten me to a source of the problem??
6 Replies 6

DigbyCunningham
Level 1
Level 1

More info::

After much research and diagnosis I changed a few things:

     i. Changed the Pre-Shared key to include only hexadecimal numbers (0-9, A-z) ... apparently having special characters can cause problems?

     ii. Changed the _names_ of the IPSec tunnels to only alphabetic characters ...again, apparently having special characters might be an issue

     iii. Changed the MTU for all RVS routers and the ASA to a max of 1400 instead of the default 1518 to avoid possible fragmentation issues from the IPSec overhead

However, same issues persist ... if I restart RVS device that currently fails to connect, the tunnel comes up first time every time. But, over time they will disconnect and I cannot manually reconnect them (same errors above). Further analysis shows the disconnect issue I think... it's on the RVS end, and research shows many people are experiencing this problem with the OpenSwan IPSec on Linux, which I highly suspect is inside these RVS routers. The log when the tunnel crashes looks like this:

Mar 23 07:03:32 - [VPN Log]: "TIMBSPRY" #8: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DISABLEARRIVALCHECK+UP {using isakmp#3}
Mar 23 07:03:32 - [VPN Log]: "TIMBSPRY" #8: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Mar 23 07:03:32 - [VPN Log]: "TIMBSPRY" #8: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xae33433c <0x31660547 xfrm=3DES_0-HMAC_SHA1 NATD=24.222.15.114:500 DPD=none}
Mar 23 07:03:41 - [VPN Log]: shutting down
Mar 23 07:03:41 - [VPN Log]: forgetting secrets
Mar 23 07:03:41 - [VPN Log]: "TIMBSPRY": deleting connection
Mar 23 07:03:41 - [VPN Log]: "TIMBSPRY" #8: deleting state (STATE_QUICK_I2)
Mar 23 07:03:42 - [VPN Log]: ERROR: "TIMBSPRY" #8: pfkey write() of SADB_X_ADDFLOW message 43 for flow %trap failed. Errno 14: Bad address
Mar 23 07:03:42 - [VPN Log]: | 02 0e 00 0b 17 00 00 00 2b 00 00 00 64 06 00 00
Mar 23 07:03:42 - [VPN Log]: | 03 00 01 00 00 00 01 04 00 00 00 00 02 00 00 00
Mar 23 07:03:42 - [VPN Log]: | ff ff ff ff 00 00 00 00 03 00 05 00 00 00 00 00
Mar 23 07:03:42 - [VPN Log]: | 02 00 00 00 18 de 10 46 00 00 00 00 00 00 00 00
Mar 23 07:03:42 - [VPN Log]: | 03 00 06 00 00 00 00 00 02 00 00 00 00 00 00 00
Mar 23 07:03:42 - [VPN Log]: | 00 00 00 00 00 00 00 00 03 00 15 00 00 00 00 00
Mar 23 07:03:42 - [VPN Log]: | 02 00 00 00 c0 a8 03 00 00 00 00 00 84 0b 00 40
Mar 23 07:03:42 - [VPN Log]: | 03 00 16 00 00 00 00 00 02 00 00 00 c0 a8 04 00
Mar 23 07:03:42 - [VPN Log]: | b0 25 01 00 22 00 00 00 03 00 17 00 00 00 00 00
Mar 23 07:03:42 - [VPN Log]: | 02 00 00 00 ff ff ff 00 64 65 6c 65 74 69 6e 67
Mar 23 07:03:42 - [VPN Log]: | 03 00 18 00 00 00 00 00 02 00 00 00 ff ff ff 00
Mar 23 07:03:42 - [VPN Log]: | 5f 51 55 49 00 00 00 00
Mar 23 07:03:42 - [VPN Log]: | 02 04 00 03 0b 00 00 00 2c 00 00 00 64 06 00 00
Mar 23 07:03:42 - [VPN Log]: | 03 00 01 00 ae 33 43 3c 00 01 00 00 00 00 00 00
Mar 23 07:03:42 - [VPN Log]: | ff ff ff ff 00 00 00 00 03 00 05 00 00 00 00 00
Mar 23 07:03:42 - [VPN Log]: | 02 00 00 00 18 de 10 46 00 00 00 00 00 00 00 00
Mar 23 07:03:42 - [VPN Log]: | 03 00 06 00 00 00 00 00 02 00 00 00 18 de 0f 72
Mar 23 07:03:42 - [VPN Log]: | 00 00 00 00 00 00 00 00
Mar 23 07:03:42 - [VPN Log]: | 02 04 00 03 0b 00 00 00 2d 00 00 00 64 06 00 00
Mar 23 07:03:42 - [VPN Log]: | 03 00 01 00 31 66 05 47 00 01 00 00 00 00 00 00
Mar 23 07:03:42 - [VPN Log]: | ff ff ff ff 00 00 00 00 03 00 05 00 00 00 00 00
Mar 23 07:03:42 - [VPN Log]: | 02 00 00 00 18 de 0f 72 00 00 00 00 00 00 00 00
Mar 23 07:03:42 - [VPN Log]: | 03 00 06 00 00 00 00 00 02 00 00 00 18 de 10 46
Mar 23 07:03:42 - [VPN Log]: | 00 00 00 00 00 00 00 00
Mar 23 07:03:42 - [VPN Log]: "TIMBSPRY" #5: deleting state (STATE_QUICK_R2)
Mar 23 07:03:42 - [VPN Log]: | 02 04 00 03 0b 00 00 00 2e 00 00 00 64 06 00 00
Mar 23 07:03:42 - [VPN Log]: | 03 00 01 00 ae 33 43 3a 00 01 00 00 00 00 00 00
Mar 23 07:03:42 - [VPN Log]: | ff ff ff ff 00 00 00 00 03 00 05 00 00 00 00 00
Mar 23 07:03:42 - [VPN Log]: | 02 00 00 00 18 de 10 46 00 00 00 00 00 00 00 00
Mar 23 07:03:42 - [VPN Log]: | 03 00 06 00 00 00 00 00 02 00 00 00 18 de 0f 72
Mar 23 07:03:42 - [VPN Log]: | 00 00 00 00 00 00 00 00
Mar 23 07:03:42 - [VPN Log]: | 02 04 00 03 0b 00 00 00 2f 00 00 00 64 06 00 00
Mar 23 07:03:42 - [VPN Log]: | 03 00 01 00 31 66 05 45 00 01 00 00 00 00 00 00
Mar 23 07:03:42 - [VPN Log]: | ff ff ff ff 00 00 00 00 03 00 05 00 00 00 00 00
Mar 23 07:03:42 - [VPN Log]: | 02 00 00 00 18 de 0f 72 00 00 00 00 00 00 00 00
Mar 23 07:03:42 - [VPN Log]: | 03 00 06 00 00 00 00 00 02 00 00 00 18 de 10 46
Mar 23 07:03:42 - [VPN Log]: | 00 00 00 00 00 00 00 00
Mar 23 07:03:42 - [VPN Log]: "TIMBSPRY" #4: deleting state (STATE_QUICK_I2)
Mar 23 07:03:42 - [VPN Log]: | 02 04 00 03 0b 00 00 00 30 00 00 00 64 06 00 00
Mar 23 07:03:42 - [VPN Log]: | 03 00 01 00 ae 33 43 3b 00 01 00 00 00 00 00 00
Mar 23 07:03:42 - [VPN Log]: | ff ff ff ff 00 00 00 00 03 00 05 00 00 00 00 00
Mar 23 07:03:42 - [VPN Log]: | 02 00 00 00 18 de 10 46 00 00 00 00 00 00 00 00
Mar 23 07:03:42 - [VPN Log]: | 03 00 06 00 00 00 00 00 02 00 00 00 18 de 0f 72
Mar 23 07:03:42 - [VPN Log]: | 00 00 00 00 00 00 00 00
Mar 23 07:03:42 - [VPN Log]: | 02 04 00 03 0b 00 00 00 31 00 00 00 64 06 00 00
Mar 23 07:03:42 - [VPN Log]: | 03 00 01 00 31 66 05 44 00 01 00 00 00 00 00 00
Mar 23 07:03:42 - [VPN Log]: | ff ff ff ff 00 00 00 00 03 00 05 00 00 00 00 00
Mar 23 07:03:42 - [VPN Log]: | 02 00 00 00 18 de 0f 72 00 00 00 00 00 00 00 00
Mar 23 07:03:42 - [VPN Log]: | 03 00 06 00 00 00 00 00 02 00 00 00 18 de 10 46
Mar 23 07:03:42 - [VPN Log]: | 00 00 00 00 00 00 00 00
Mar 23 07:03:42 - [VPN Log]: "TIMBSPRY" #3: deleting state (STATE_MAIN_I4)
Mar 23 07:03:42 - [VPN Log]: ERROR: "TIMBSPRY": pfkey write() of SADB_X_DELFLOW message 50 for flow int.0@0.0.0.0 failed. Errno 14: Bad address
Mar 23 07:03:42 - [VPN Log]: | 02 0f 00 0b 0e 00 00 00 32 00 00 00 64 06 00 00
Mar 23 07:03:42 - [VPN Log]: | 03 00 15 00 00 00 00 00 02 00 00 00 c0 a8 03 00
Mar 23 07:03:42 - [VPN Log]: | 00 00 00 00 84 0b 00 40 03 00 16 00 00 00 00 00
Mar 23 07:03:42 - [VPN Log]: | 02 00 00 00 c0 a8 04 00 b0 25 01 00 22 00 00 00
Mar 23 07:03:42 - [VPN Log]: | 03 00 17 00 00 00 00 00 02 00 00 00 ff ff ff 00
Mar 23 07:03:42 - [VPN Log]: | 88 eb ff bf 00 00 00 00 03 00 18 00 00 00 00 00
Mar 23 07:03:42 - [VPN Log]: | 02 00 00 00 ff ff ff 00 00 00 00 00 00 00 00 00
Mar 23 07:03:43 - [VPN Log]: "TIMBSPRY": unroute-client output: 0
Mar 23 07:03:43 - [VPN Log]: "SHUBSPRY": deleting connection
Mar 23 07:03:43 - [VPN Log]: "SHUBSPRY" #7: deleting state (STATE_QUICK_I2)
Mar 23 07:03:43 - [VPN Log]: ERROR: "SHUBSPRY" #7: pfkey write() of SADB_X_ADDFLOW message 51 for flow %trap failed. Errno 14: C
Mar 23 07:03:43 - [VPN Log]: | 02 0e 00 0b 17 00 00 00 33 00 00 00 64 06 00 00
Mar 23 07:03:43 - [VPN Log]: | 03 00 01 00 00 00 01 04 00 00 00 00 02 00 00 00
Mar 23 07:03:43 - [VPN Log]: | ff ff ff ff 00 00 00 00 03 00 05 00 00 00 00 00
Mar 23 07:03:43 - [VPN Log]: | 02 00 00 00 18 de 10 46 00 00 00 00 00 00 00 00
Mar 23 07:03:43 - [VPN Log]: | 03 00 06 00 00 00 00 00 02 00 00 00 00 00 00 00
Mar 23 07:03:43 - [VPN Log]: | 00 00 00 00 00 00 00 00 03 00 15 00 00 00 00 00
Mar 23 07:03:43 - [VPN Log]: | 02 00 00 00 c0 a8 03 00 00 00 00 00 84 0b 00 40
Mar 23 07:03:43 - [VPN Log]: | 03 00 16 00 00 00 00 00 02 00 00 00 c0 a8 02 00
Mar 23 07:03:43 - [VPN Log]: | b0 25 01 00 22 00 00 00 03 00 17 00 00 00 00 00
Mar 23 07:03:43 - [VPN Log]: | 02 00 00 00 ff ff ff 00 64 65 6c 65 74 69 6e 67
Mar 23 07:03:43 - [VPN Log]: | 03 00 18 00 00 00 00 00 02 00 00 00 ff ff ff 00
Mar 23 07:03:43 - [VPN Log]: | 5f 51 55 49 00 00 00 00
Mar 23 07:03:43 - [VPN Log]: | 02 04 00 03 0b 00 00 00 34 00 00 00 64 06 00 00
Mar 23 07:03:43 - [VPN Log]: | 03 00 01 00 ea 98 c9 fa 00 01 00 00 00 00 00 00
Mar 23 07:03:43 - [VPN Log]: | ff ff ff ff 00 00 00 00 03 00 05 00 00 00 00 00
Mar 23 07:03:43 - [VPN Log]: | 02 00 00 00 18 de 10 46 00 00 00 00 00 00 00 00
Mar 23 07:03:43 - [VPN Log]: | 03 00 06 00 00 00 00 00 02 00 00 00 18 de 72 1e
Mar 23 07:03:43 - [VPN Log]: | 00 00 00 00 00 00 00 00
Mar 23 07:03:43 - [VPN Log]: | 02 04 00 03 0b 00 00 00 35 00 00 00 64 06 00 00
Mar 23 07:03:43 - [VPN Log]: | 03 00 01 00 31 66 05 46 00 01 00 00 00 00 00 00
Mar 23 07:03:43 - [VPN Log]: | ff ff ff ff 00 00 00 00 03 00 05 00 00 00 00 00
Mar 23 07:03:43 - [VPN Log]: | 02 00 00 00 18 de 72 1e 00 00 00 00 00 00 00 00
Mar 23 07:03:43 - [VPN Log]: | 03 00 06 00 00 00 00 00 02 00 00 00 18 de 10 46
Mar 23 07:03:43 - [VPN Log]: | 00 00 00 00 00 00 00 00
Mar 23 07:03:43 - [VPN Log]: "SHUBSPRY" #6: deleting state (STATE_MAIN_I4)
Mar 23 07:03:43 - [VPN Log]: ERROR: "SHUBSPRY": pfkey write() of SADB_X_DELFLOW message 54 for flow int.0@0.0.0.0 failed. Errno 14: Bad address
Mar 23 07:03:43 - [VPN Log]: | 02 0f 00 0b 0e 00 00 00 36 00 00 00 64 06 00 00
Mar 23 07:03:43 - [VPN Log]: | 03 00 15 00 00 00 00 00 02 00 00 00 c0 a8 03 00
Mar 23 07:03:43 - [VPN Log]: | 00 00 00 00 84 0b 00 40 03 00 16 00 00 00 00 00
Mar 23 07:03:43 - [VPN Log]: | 02 00 00 00 c0 a8 02 00 b0 25 01 00 22 00 00 00
Mar 23 07:03:43 - [VPN Log]: | 03 00 17 00 00 00 00 00 02 00 00 00 ff ff ff 00
Mar 23 07:03:43 - [VPN Log]: | 88 eb ff bf 00 00 00 00 03 00 18 00 00 00 00 00
Mar 23 07:03:43 - [VPN Log]: | 02 00 00 00 ff ff ff 00 00 00 00 00 00 00 00 00
Mar 23 07:03:44 - [VPN Log]: "SHUBSPRY": unroute-client output: /usr/local/lib/ipsec/_updown: doroute `ip route delete 192.168.2.0/24 via 24.222.16.69 dev ipsec0 ' failed (ip: RTNETLINK answers: No such process)
Mar 23 07:03:44 - [VPN Log]: "SHUBSPRY": unroute-client output: /usr/local/lib/ipsec/_updown: doroute `ip route delete 192.168.2.0/24 via 24.222.16.69 dev ipsec0 ' failed (ip: RTNETLINK answers: No such process)
Mar 23 07:03:45 - [VPN Log]: "SHUBSPRY": unroute-client output: we add the route in manual form
Mar 23 07:03:45 - [VPN Log]: "SHUBSPRY": unroute-client output: route add -net 192.168.2.0 netmask 255.255.255.0 dev ipsec0
Mar 23 07:03:45 - [VPN Log]: "SHUBSPRY": unroute-client output: 1
Mar 23 07:03:45 - [VPN Log]: "SPRYELMS": deleting connection
Mar 23 07:03:45 - [VPN Log]: "SPRYELMS" #2: deleting state (STATE_QUICK_I2)
Mar 23 07:03:45 - [VPN Log]: ERROR: "SPRYELMS" #2: pfkey write() of SADB_X_ADDFLOW message 55 for flow %trap failed. Errno 14: Bad address
Mar 23 07:03:45 - [VPN Log]: | 02 0e 00 0b 17 00 00 00 37 00 00 00 64 06 00 00
Mar 23 07:03:45 - [VPN Log]: | 03 00 01 00 00 00 01 04 00 00 00 00 02 00 00 00
Mar 23 07:03:45 - [VPN Log]: | ff ff ff ff 00 00 00 00 03 00 05 00 00 00 00 00
Mar 23 07:03:45 - [VPN Log]: | 02 00 00 00 18 de 10 46 00 00 00 00 00 00 00 00
Mar 23 07:03:45 - [VPN Log]: | 03 00 06 00 00 00 00 00 02 00 00 00 00 00 00 00
Mar 23 07:03:45 - [VPN Log]: | 00 00 00 00 00 00 00 00 03 00 15 00 00 00 00 00
Mar 23 07:03:45 - [VPN Log]: | 02 00 00 00 c0 a8 03 00 00 00 00 00 84 0b 00 40
Mar 23 07:03:45 - [VPN Log]: | 03 00 16 00 00 00 00 00 02 00 00 00 c0 a8 00 00
Mar 23 07:03:45 - [VPN Log]: | b0 25 01 00 22 00 00 00 03 00 17 00 00 00 00 00
Mar 23 07:03:45 - [VPN Log]: | 02 00 00 00 ff ff ff 00 64 65 6c 65 74 69 6e 67
Mar 23 07:03:45 - [VPN Log]: | 03 00 18 00 00 00 00 00 02 00 00 00 ff ff ff 00
Mar 23 07:03:45 - [VPN Log]: | 5f 51 55 49 00 00 00 00
Mar 23 07:03:45 - [VPN Log]: | 02 04 00 03 0b 00 00 00 38 00 00 00 64 06 00 00
Mar 23 07:03:45 - [VPN Log]: | 03 00 01 00 d0 9a a9 b1 00 01 00 00 00 00 00 00 Mar 23 07:03:45 - [VPN Log]: | ff ff ff ff 00 00 00 00 03 00 05 00 00 00 00 00
Mar 23 07:03:45 - [VPN Log]: | 02 00 00 00 18 de 10 46 00 00 00 00 00 00 00 00
Mar 23 07:03:45 - [VPN Log]: | 03 00 06 00 00 00 00 00 02 00 00 00 18 de 2f 86
Mar 23 07:03:45 - [VPN Log]: | 00 00 00 00 00 00 00 00
Mar 23 07:03:45 - [VPN Log]: | 02 04 00 03 0b 00 00 00 39 00 00 00 64 06 00 00
Mar 23 07:03:45 - [VPN Log]: | 03 00 01 00 31 66 05 43 00 01 00 00 00 00 00 00
Mar 23 07:03:45 - [VPN Log]: | ff ff ff ff 00 00 00 00 03 00 05 00 00 00 00 00
Mar 23 07:03:45 - [VPN Log]: | 02 00 00 00 18 de 2f 86 00 00 00 00 00 00 00 00
Mar 23 07:03:45 - [VPN Log]: | 03 00 06 00 00 00 00 00 02 00 00 00 18 de 10 46
Mar 23 07:03:45 - [VPN Log]: | 00 00 00 00 00 00 00 00
Mar 23 07:03:45 - [VPN Log]: "SPRYELMS" #1: deleting state (STATE_MAIN_I4)
Mar 23 07:03:45 - [VPN Log]: ERROR: "SPRYELMS": pfkey write() of SADB_X_DELFLOW message 58 for flow int.0@0.0.0.0 failed. Errno 14: Bad address
Mar 23 07:03:45 - [VPN Log]: | 02 0f 00 0b 0e 00 00 00 3a 00 00 00 64 06 00 00
Mar 23 07:03:45 - [VPN Log]: | 03 00 15 00 00 00 00 00 02 00 00 00 c0 a8 03 00
Mar 23 07:03:45 - [VPN Log]: | 00 00 00 00 84 0b 00 40 03 00 16 00 00 00 00 00
Mar 23 07:03:45 - [VPN Log]: | 02 00 00 00 c0 a8 00 00 b0 25 01 00 22 00 00 00
Mar 23 07:03:45 - [VPN Log]: | 03 00 17 00 00 00 00 00 02 00 00 00 ff ff ff 00
Mar 23 07:03:45 - [VPN Log]: | 88 eb ff bf 00 00 00 00 03 00 18 00 00 00 00 00
Mar 23 07:03:45 - [VPN Log]: | 02 00 00 00 ff ff ff 00 00 00 00 00 00 00 00 00
Mar 23 07:03:46 - [VPN Log]: "SPRYELMS": unroute-client output: /usr/local/lib/ipsec/_updown: doroute `ip route delete 192.168.0.0/24 via 24.222.16.69 dev ipsec0 ' failed (ip: RTNETLINK answers: No such process)
Mar 23 07:03:46 - [VPN Log]: "SPRYELMS": unroute-client output: /usr/local/lib/ipsec/_updown: doroute `ip route delete 192.168.0.0/24 via 24.222.16.69 dev ipsec0 ' failed (ip: RTNETLINK answers: No such process)
Mar 23 07:03:46 - [VPN Log]: "SPRYELMS": unroute-client output: we add the route in manual form
Mar 23 07:03:46 - [VPN Log]: "SPRYELMS": unroute-client output: route add -net 192.168.0.0 netmask 255.255.255.0 dev ipsec0
Mar 23 07:03:46 - [VPN Log]: "SPRYELMS": unroute-client output: 1
Mar 23 07:03:46 - [VPN Log]: shutting down interface ipsec0/eth1 24.222.16.70:4500
Mar 23 07:03:46 - [VPN Log]: shutting down interface ipsec0/eth1 24.222.16.70:500
Mar 23 07:03:49 - [VPN Log]: Starting Pluto (Openswan Version cvs2006Jan12_11:29:56 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE@ECqImzhFD)
Mar 23 07:03:49 - [VPN Log]: @(#) built on Oct 27 2009:16:21:09:
Mar 23 07:03:49 - [VPN Log]: Setting NAT-Traversal port-4500 floating to on
Mar 23 07:03:49 - [VPN Log]: port floating activation criteria nat_t=1/port_fload=1
Mar 23 07:03:49 - [VPN Log]: including NAT-Traversal patch (Version 0.6c)
Mar 23 07:03:49 - [VPN Log]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Mar 23 07:03:49 - [VPN Log]: starting up 1 cryptographic helpers
Mar 23 07:03:49 - [VPN Log]: started helper pid=2182 (fd:5)
Mar 23 07:03:49 - [VPN Log]: Using KLIPS IPsec interface code on 2.4.27-star
Mar 23 07:03:49 - [VPN Log]: Changing to directory '/etc/ipsec.d/cacerts'
Mar 23 07:03:49 - [VPN Log]: Changing to directory '/etc/ipsec.d/aacerts'
Mar 23 07:03:49 - [VPN Log]: Changing to directory '/etc/ipsec.d/ocspcerts'
Mar 23 07:03:49 - [VPN Log]: Changing to directory '/etc/ipsec.d/crls'
Mar 23 07:03:49 - [VPN Log]: Warning: empty directory
Mar 23 07:03:49 - [VPN Log]: added connection description "SPRYELMS"
Mar 23 07:03:49 - [VPN Log]: listening for IKE messages
Mar 23 07:03:50 - [VPN Log]: adding interface ipsec0/eth1 24.222.16.70:500
Mar 23 07:03:50 - [VPN Log]: adding interface ipsec0/eth1 24.222.16.70:4500
Mar 23 07:03:50 - [VPN Log]: loading secrets from "/etc/ipsec.secrets"
Mar 23 07:03:51 - [VPN Log]: "SPRYELMS": route-client output: 0
Mar 23 07:03:51 - [VPN Log]: packet from 24.222.15.114:500: received Vendor ID payload [Openswan (this version) cvs2006Jan12_11:29:56 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
Mar 23 07:03:51 - [VPN Log]: packet from 24.222.15.114:500: received Vendor ID payload [Dead Peer Detection]
Mar 23 07:03:51 - [VPN Log]: packet from 24.222.15.114:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 23 07:03:51 - [VPN Log]: packet from 24.222.15.114:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Mar 23 07:03:51 - [VPN Log]: packet from 24.222.15.114:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 23 07:03:51 - [VPN Log]: packet from 24.222.15.114:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 23 07:03:51 - [VPN Log]: packet from 24.222.15.114:500: initial Main Mode message received on 24.222.16.70:500 but no connection has been authorized
Mar 23 07:03:51 - [VPN Log]: "SPRYELMS" #1: initiating Main Mode
Mar 23 07:03:51 - [VPN Log]: added connection description "TIMBSPRY"

Sounds like you may need to shorten your key timers. Try cutting each timer in half. See if that helps.

Bill

Thks Bill, but I've tried all sorts of timers; we ended up putting them extremely high (24hrs) simply to give a consistant working day w/o disconnection.

Final solution was to pull the RVS4000's and put in RV042's.

After much digging I found the problem: The RVS VPN module was burping on the ASA VPN tunnel because of an invalid packet -- turns out to be the ASA's Keepalive packet. If I turn off the Keepalive/DPD on the ASA the problem stopped, however the application they're using over the tunnel is a little particular about consistent connections. If the tunnel drops due to inactivity, and a packet is lost while the tunnel rebuilds when traffic begins again, the application freezes (I know, poorly written app, but it is what I've got to work with here). We need the tunnels to be maintained all the time, so KeepAlive is required. I invested in the RV042's because they properly support the Keepalive/DPD features.

All is good now.

Is there any chance you might be able to share your (sanitized) configuration for the ASA and the RVS?  We are having much difficulty in establishing a tunnel ( much less keeping it alive ), and there is a lack of information or examples in getting this to work properly.  I realize the RVS4000 line is getting rather old, but we'd like to at least see this work in practice since others have had good results.

Thanks in advance

Hi Glenn, unfortunately there is not a resolution for this. The ASA will overwhelm the RVS4000 and WRVS4400N models. Once the tunnel establishes the RVS4000/WRVS4400N's have a tendancy to run out of memory, causing them to lock up forcing a reboot.

This has been a problem interoperating these products for at least 3 years I've played with them.

I would recommend to invest in to a RV042(G) or RV220W. Either of these routers can handle a tunnel to the ASA.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Yes, as Tom notes, I'm sorry to say the final resolve after a massive undertaking was that the OpenSwanVPN inside the RVS4000 is incompatible with Cisco's IOS VPN... at least once a day the RVS4000 would "hiccup"

and then fail to reestablish the tunnel after reloading.

Our extensive research into this showed the OpenSwan had crashed and reloaded [shown in debug logs]. The official answer from Cisco/Linksys at the end of the day was that although the OpenSwanVPN module had crashed and reloaded, the actual SA tables were not cleared in memory leaving "connections" still there. The RVS4000 could not properly respond to incoming messages from the ASA using these tables, but would not rebuild the table to create a new connection [thinks it has a connection already according to the tables, but the ones listed are no longer valid]. The only solution was a restart on the router --- once a day --- not a good scenario for a new setup. NBTW: if you waited "long enough", like hours and hours --- typically a whole weekend, they would eventually link back up.

We ended up pulling all the RVS4000's and moved up to RV042 routers. They worked just fine.

Side note::: 5x RVS4000 routers sat on the shelf here in the office for another couple of months; thought I had lost out there, but after revisiting they turn out to be quite descent little small-office [up to say 50 connections] routers. Even RVS<=>RVS VPNs work quite well. We ended up adopting them as the preferred small business routing solution

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: