Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
313
Views
0
Helpful
2
Replies

ASA 5510 s2s vpn to Checkpoint issues

cravenids
Level 1
Level 1

‎08-07-2014 04:22 AM

Hi,

 

we are currently experiencing some issues with one of our site 2 site vpn's. the other end is running a checkpoint firewall.

the connection comes up normally and functions as it should however every now and then the following error message starts spamming our logs:

2014-08-06 23:54:34 UTC,Local4.Debug,192.168.33.1,"Aug 07 2014 01:54:34: %ASA-7-714003: IP = x.x.x.142, IKE Responder starting QM: msg id = 5dc66399"
2014-08-06 23:54:34 UTC,Local4.Debug,192.168.33.1,"Aug 07 2014 01:54:34: %ASA-7-713236: IP = x.x.x.142, IKE_DECODE RECEIVED Message (msgid=5dc66399) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 288"
2014-08-06 23:54:34 UTC,Local4.Debug,192.168.33.1,"Aug 07 2014 01:54:34: %ASA-7-715047: Group = x.x.x.142, IP = x.x.x.142, processing hash payload"
2014-08-06 23:54:34 UTC,Local4.Debug,192.168.33.1,"Aug 07 2014 01:54:34: %ASA-7-715047: Group = x.x.x.142, IP = x.x.x.142, processing SA payload"
2014-08-06 23:54:34 UTC,Local4.Debug,192.168.33.1,"Aug 07 2014 01:54:34: %ASA-7-715047: Group = x.x.x.142, IP = x.x.x.142, processing nonce payload"
2014-08-06 23:54:34 UTC,Local4.Debug,192.168.33.1,"Aug 07 2014 01:54:34: %ASA-7-715047: Group = x.x.x.142, IP = x.x.x.142, processing ke payload"
2014-08-06 23:54:34 UTC,Local4.Debug,192.168.33.1,"Aug 07 2014 01:54:34: %ASA-7-713906: Group = x.x.x.142, IP = x.x.x.142, processing ISA_KE for PFS in phase 2"
2014-08-06 23:54:34 UTC,Local4.Debug,192.168.33.1,"Aug 07 2014 01:54:34: %ASA-7-715047: Group = x.x.x.142, IP = x.x.x.142, processing ID payload"
2014-08-06 23:54:34 UTC,Local4.Debug,192.168.33.1,"Aug 07 2014 01:54:34: %ASA-7-714011: Group = x.x.x.142, IP = x.x.x.142, ID_IPV4_ADDR_SUBNET ID received--10.100.248.0--255.255.248.0"
2014-08-06 23:54:34 UTC,Local4.Debug,192.168.33.1,"Aug 07 2014 01:54:34: %ASA-7-713035: Group = x.x.x.142, IP = x.x.x.142, Received remote IP Proxy Subnet data in ID Payload:   Address 10.100.248.0, Mask 255.255.248.0, Protocol 0, Port 0"
2014-08-06 23:54:34 UTC,Local4.Debug,192.168.33.1,"Aug 07 2014 01:54:34: %ASA-7-715047: Group = x.x.x.142, IP = x.x.x.142, processing ID payload"
2014-08-06 23:54:34 UTC,Local4.Debug,192.168.33.1,"Aug 07 2014 01:54:34: %ASA-7-714011: Group = x.x.x.142, IP = x.x.x.142, ID_IPV4_ADDR_SUBNET ID received--192.168.72.0--255.255.255.0"
2014-08-06 23:54:34 UTC,Local4.Debug,192.168.33.1,"Aug 07 2014 01:54:34: %ASA-7-713034: Group = x.x.x.142, IP = x.x.x.142, Received local IP Proxy Subnet data in ID Payload:   Address 192.168.72.0, Mask 255.255.255.0, Protocol 0, Port 0"
2014-08-06 23:54:34 UTC,Local4.Debug,192.168.33.1,"Aug 07 2014 01:54:34: %ASA-7-713906: Group = x.x.x.142, IP = x.x.x.142, QM IsRekeyed sa already being rekeyed"
2014-08-06 23:54:34 UTC,Local4.Error,192.168.33.1,"Aug 07 2014 01:54:34: %ASA-3-713902: Group = x.x.x.142, IP = x.x.x.142, QM FSM error (P2 struct &0xda4f66f8, mess id 0x5dc66399)!"
2014-08-06 23:54:34 UTC,Local4.Debug,192.168.33.1,"Aug 07 2014 01:54:34: %ASA-7-715065: Group = x.x.x.142, IP = x.x.x.142, IKE QM Responder FSM error history (struct &0xda4f66f8)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH-->QM_BLD_MSG2, EV_VALIDATE_MSG"
2014-08-06 23:54:34 UTC,Local4.Debug,192.168.33.1,"Aug 07 2014 01:54:34: %ASA-7-713906: Group = x.x.x.142, IP = x.x.x.142, sending delete/delete with reason message"
2014-08-06 23:54:34 UTC,Local4.Error,192.168.33.1,"Aug 07 2014 01:54:34: %ASA-3-713902: Group = x.x.x.142, IP = x.x.x.142, Removing peer from correlator table failed, no match!"

 

it does not happen every day to the full extent however, some days the error only occurs once (one error message and no hammering/flooding).  and some days it occurs. for instance:

august 7:  eleven error messages

august 6:  one error message

august 5: no error

august 4: no error

august 1: 100+ error messages in 5 minutes)

 

has anyone seen this behaviour before ? this vpn will be business critical in the future and with messages like this appearing it does not give me the confidence that we can safely say that all is well.

 

 

 

Labels:
Preview file
39 KB
0 Helpful
2 Replies 2

nkarthikeyan
Level 7
Level 7

‎08-08-2014 02:14 AM

Hi,

 

That is because you have enabled the debug logs on your asa, so which you are getting the vpn logs.

logging monitor debugging
logging buffered debugging
logging trap debugging

 

This might be because of rekey happening on the tunnel..... I think you do not need to worry much about this.... until your tunnels flaps very often......

 

 

 

Regards

Karthik

0 Helpful

Tagir Temirgaliyev
Spotlight
Spotlight

‎08-09-2014 12:48 AM

ask your provider to check for errors on psysical level. patchcords and connectors.

ipsec rekey happenong because sometimes it receaves bad packet

do ping from end point to endpoint with validate option and size 1300 1400.

check mtu

 

and dont forget to rate post

0 Helpful
Customers Also Viewed These Support Documents