Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

SA520 IPSec tunnel fails to reassociate

I've got SA520's connecting to an ASA5500 Head end via regular ipsec vpn tunnels.  When the head end drops the tunnel, all of the SA520's will never re-establish their tunnels, while the ASA5505's in the field will re-establish.  Rebooting the SA520's will re-establish the tunnel for about 1-2 minutes then the tunnel drops again, according to the logs in the SA520, it drops the tunnel immediatly followin the SA520 updating it's date/time. 

The SA520 boots up with a date of 12/31/1999 then creates a tunnel to the ASA5510, then updates it's date/time thus expiring the current SA.  However viewing the VPN Status on the SA520 shows the tunnel is up, but clearly it's not, nor does the ASA at the head end show a tunnel to be established with that SA520. 

There are only 2 ways to re-establish the tunnel:

1. disable the VPN on the SA520, reboot, wait a few minutes then Enable the VPN's and they will connect and stay connected.

2. Delete the VPN config from the SA520, rebuild it and it will connect and stay connected.

Does anybody have a workaround for this erroneous date/time issue on the SA520's?  I purchased 5 of them last year to replace the more expensive ASA5505's we have in the field but now that I'm deploying them I'm finding my VPN over the SA520's is not very resilient.

5 REPLIES
New Member

SA520 IPSec tunnel fails to reassociate

Here are the logs immediately following a reboot.  The SA520 comes up with a date of 12/31/99, it establishes the tunnel then it gets a new date and expires the SA's.  As you can see the tunnel is established before the date changes and I'm able to ping across the tunnel until it expires the SA, following the expired SA's nothing passes however the web interface shows the tunnel to be up even though it's not.

Fri Dec 31 18:07:39 1999 (GMT -0600): [fwrol01] [IKE] INFO:  IPsec-SA established: ESP/Tunnel xx.xx.xx.2->xx.xx.xx.178 with spi=226923459(0xd8693c3)

Fri Dec 31 18:07:39 1999 (GMT -0600): [fwrol01] [IKE] INFO:  IPsec-SA established: ESP/Tunnel xx.xx.xx.178->xx.xx.xx.2 with spi=3344916756(0xc75f6114)

Mon Feb 06 15:36:11 2012 (GMT -0600): [fwrol01] [IKE] INFO:  Phase 2 sa expired xx.xx.xx.178-xx.xx.xx.50

Mon Feb 06 15:36:11 2012 (GMT -0600): [fwrol01] [IKE] INFO:  Phase 2 sa expired xx.xx.xx.178-xx.xx.xx.2

Mon Feb 06 15:36:11 2012 (GMT -0600): [fwrol01] [IKE] INFO:  ISAKMP-SA expired xx.xx.xx.178[500]-xx.xx.xx.2[500] spi:bf3aa2ece8b2e730:90450131ce4e6641

Mon Feb 06 15:36:11 2012 (GMT -0600): [fwrol01] [IKE] INFO:  Sending Informational Exchange: delete payload[]

Mon Feb 06 15:36:11 2012 (GMT -0600): [fwrol01] [IKE] INFO:  ISAKMP-SA expired xx.xx.xx.178[500]-xx.xx.xx.50[500] spi:23150e41b279dd4b:77740eb5fc8c7079

Mon Feb 06 15:36:11 2012 (GMT -0600): [fwrol01] [IKE] INFO:  Sending Informational Exchange: delete payload[]

Mon Feb 06 15:36:12 2012 (GMT -0600): [fwrol01] [IKE] INFO:  Phase 2 sa deleted xx.xx.xx.178-xx.xx.xx.50

Mon Feb 06 15:36:12 2012 (GMT -0600): [fwrol01] [IKE] INFO:  Phase 2 sa deleted xx.xx.xx.178-xx.xx.xx.2

Mon Feb 06 15:36:12 2012 (GMT -0600): [fwrol01] [IKE] INFO:  ISAKMP-SA deleted for xx.xx.xx.178[500]-xx.xx.xx.2[500] with spi:bf3aa2ece8b2e730:90450131ce4e6641

Mon Feb 06 15:36:12 2012 (GMT -0600): [fwrol01] [IKE] INFO:  ISAKMP-SA deleted for xx.xx.xx.178[500]-xx.xx.xx.50[500] with spi:23150e41b279dd4b:77740eb5fc8c7079

Mon Feb 06 15:37:11 2012 (GMT -0600): [fwrol01] [IKE] WARNING:  no phase2 found for "ti_dctr"

Mon Feb 06 15:37:11 2012 (GMT -0600): [fwrol01] [IKE] INFO:  IPSec configuration with identifier "ti_dctr" deleted sucessfully

Mon Feb 06 15:37:11 2012 (GMT -0600): [fwrol01] [IKE] WARNING:  no phase1 found for "ti_dctr"

Mon Feb 06 15:37:11 2012 (GMT -0600): [fwrol01] [IKE] INFO:  IKE configuration with identifier "ti_dctr" deleted sucessfully

Mon Feb 06 15:37:11 2012 (GMT -0600): [fwrol01] [IKE] WARNING:  no phase2 found for "ti_corp"

Mon Feb 06 15:37:11 2012 (GMT -0600): [fwrol01] [IKE] INFO:  IPSec configuration with identifier "ti_corp" deleted sucessfully

Mon Feb 06 15:37:11 2012 (GMT -0600): [fwrol01] [IKE] WARNING:  no phase1 found for "ti_corp"

Mon Feb 06 15:37:11 2012 (GMT -0600): [fwrol01] [IKE] INFO:  IKE configuration with identifier "ti_corp" deleted sucessfully

Mon Feb 06 15:37:12 2012 (GMT -0600): [fwrol01] [IKE] INFO:  Adding IPSec configuration with identifier "ti_dctr"

Mon Feb 06 15:37:12 2012 (GMT -0600): [fwrol01] [IKE] INFO:  Adding IKE configuration with identifier "ti_dctr"

Mon Feb 06 15:37:13 2012 (GMT -0600): [fwrol01] [IKE] INFO:  Adding IPSec configuration with identifier "ti_corp"

Mon Feb 06 15:37:13 2012 (GMT -0600): [fwrol01] [IKE] INFO:  Adding IKE configuration with identifier "ti_corp"

Mon Feb 06 15:54:04 2012 (GMT -0600): [fwrol01] [IKE] WARNING:  no phase2 found for "ti_dctr"

Mon Feb 06 15:54:04 2012 (GMT -0600): [fwrol01] [IKE] INFO:  IPSec configuration with identifier "ti_dctr" deleted sucessfully

Mon Feb 06 15:54:04 2012 (GMT -0600): [fwrol01] [IKE] WARNING:  no phase1 found for "ti_dctr"

Mon Feb 06 15:54:04 2012 (GMT -0600): [fwrol01] [IKE] INFO:  IKE configuration with identifier "ti_dctr" deleted sucessfully

Mon Feb 06 15:54:07 2012 (GMT -0600): [fwrol01] [IKE] WARNING:  no phase2 found for "ti_corp"

Mon Feb 06 15:54:07 2012 (GMT -0600): [fwrol01] [IKE] INFO:  IPSec configuration with identifier "ti_corp" deleted sucessfully

Mon Feb 06 15:54:07 2012 (GMT -0600): [fwrol01] [IKE] WARNING:  no phase1 found for "ti_corp"

Mon Feb 06 15:54:07 2012 (GMT -0600): [fwrol01] [IKE] INFO:  IKE configuration with identifier "ti_corp" deleted sucessfully

Mon Feb 06 15:55:21 2012 (GMT -0600): [fwrol01] [IKE] INFO:  Adding IPSec configuration with identifier "ti_dctr"

Mon Feb 06 15:55:21 2012 (GMT -0600): [fwrol01] [IKE] INFO:  Adding IKE configuration with identifier "ti_dctr"

Mon Feb 06 15:55:24 2012 (GMT -0600): [fwrol01] [IKE] INFO:  Adding IPSec configuration with identifier "ti_corp"

Mon Feb 06 15:55:24 2012 (GMT -0600): [fwrol01] [IKE] INFO:  Adding IKE configuration with identifier "ti_corp"

Mon Feb 06 15:56:30 2012 (GMT -0600): [fwrol01] [IKE] INFO:  Flushing SAs for peer "xx.xx.xx.2" with spi 3344916756

Mon Feb 06 15:56:30 2012 (GMT -0600): [fwrol01] [IKE] ERROR:  failed to get iph2

Mon Feb 06 15:56:39 2012 (GMT -0600): [fwrol01] [IKE] INFO:  Flushing SAs for peer "xx.xx.xx.50" with spi 1786034910

Mon Feb 06 15:56:39 2012 (GMT -0600): [fwrol01] [IKE] ERROR:  failed to get iph2

Mon Feb 06 16:01:43 2012 (GMT -0600): [fwrol01] [IKE] WARNING:  no phase2 found for "ti_dctr"

Mon Feb 06 16:01:43 2012 (GMT -0600): [fwrol01] [IKE] INFO:  IPSec configuration with identifier "ti_dctr" deleted sucessfully

Mon Feb 06 16:01:43 2012 (GMT -0600): [fwrol01] [IKE] WARNING:  no phase1 found for "ti_dctr"

Mon Feb 06 16:01:43 2012 (GMT -0600): [fwrol01] [IKE] INFO:  IKE configuration with identifier "ti_dctr" deleted sucessfully

Mon Feb 06 16:01:46 2012 (GMT -0600): [fwrol01] [IKE] WARNING:  no phase2 found for "ti_corp"

Mon Feb 06 16:01:46 2012 (GMT -0600): [fwrol01] [IKE] INFO:  IPSec configuration with identifier "ti_corp" deleted sucessfully

Mon Feb 06 16:01:46 2012 (GMT -0600): [fwrol01] [IKE] WARNING:  no phase1 found for "ti_corp"

Mon Feb 06 16:01:46 2012 (GMT -0600): [fwrol01] [IKE] INFO:  IKE configuration with identifier "ti_corp" deleted sucessfully

Mon Feb 06 16:04:01 2012 (GMT -0600): [fwrol01] [IKE] INFO:  Adding IPSec configuration with identifier "ti_dctr"

Mon Feb 06 16:04:01 2012 (GMT -0600): [fwrol01] [IKE] INFO:  Adding IKE configuration with identifier "ti_dctr"

Mon Feb 06 16:04:04 2012 (GMT -0600): [fwrol01] [IKE] INFO:  Adding IPSec configuration with identifier "ti_corp"

Mon Feb 06 16:04:04 2012 (GMT -0600): [fwrol01] [IKE] INFO:  Adding IKE configuration with identifier "ti_corp"

Mon Feb 06 16:05:29 2012 (GMT -0600): [fwrol01] [IKE] WARNING:  no phase2 found for "ti_dctr"

Mon Feb 06 16:05:29 2012 (GMT -0600): [fwrol01] [IKE] INFO:  IPSec configuration with identifier "ti_dctr" deleted sucessfully

Mon Feb 06 16:05:29 2012 (GMT -0600): [fwrol01] [IKE] WARNING:  no phase1 found for "ti_dctr"

Mon Feb 06 16:05:29 2012 (GMT -0600): [fwrol01] [IKE] INFO:  IKE configuration with identifier "ti_dctr" deleted sucessfully

Mon Feb 06 16:05:29 2012 (GMT -0600): [fwrol01] [IKE] INFO:  Adding IPSec configuration with identifier "ti_dctr"

Mon Feb 06 16:05:29 2012 (GMT -0600): [fwrol01] [IKE] INFO:  Adding IKE configuration with identifier "ti_dctr"

Mon Feb 06 16:06:17 2012 (GMT -0600): [fwrol01] [IKE] INFO:  Flushing SAs for peer "xx.xx.xx.2" with spi 3344916756

Mon Feb 06 16:06:17 2012 (GMT -0600): [fwrol01] [IKE] ERROR:  failed to get iph2

Mon Feb 06 16:06:26 2012 (GMT -0600): [fwrol01] [IKE] INFO:  Flushing SAs for peer "xx.xx.xx.50" with spi 1786034910

Mon Feb 06 16:06:26 2012 (GMT -0600): [fwrol01] [IKE] ERROR:  failed to get iph2

New Member

SA520 IPSec tunnel fails to reassociate

I am having the same issue. Did you ever find a solution. I am finding that is happening on several of the units we bought. I am wondering if you found a solution?  Thanks

New Member

SA520 IPSec tunnel fails to reassociate

No solution, warranty on these SMB devices is apparently 3 months and had expired before I got my 2 test SA520's configed and deployed. 

Considering little or zero suggestions on this board I suspect there aren't very many people out there running these in similar scenarios.  The firmware that came on the SA520 originally was buggy on half of the features.  Upgrade fixed most of the wireless and vlan issues, improved the IPSec, but all of them still have buggy features.

New Member

SA520 IPSec tunnel fails to reassociate

I am having the same problem.  Any workable resolution?  I sent you a PM but wasn't sure if you would be notified.  Thanks

Bronze

SA520 IPSec tunnel fails to reassociate

Hello,

It looks like from the logs that you have 2 vpn tunnels both have expired their Phase 1 SA at the same time. It looks like after the SA expired for both tunnels the SA could not find a matching policy on the remote devices to re-establish the tunnel for what ever reason. It is possible that the other side of the tunnels didn't remove their SA's or something has changed in the policy.

You could make sure the policies match on both sides turn off PFS and turn on DPD on both sides. Make sure the lifetimes match on both sides as well.

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

3728
Views
0
Helpful
5
Replies
CreatePlease to create content