Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
396
Views
0
Helpful
1
Replies

ASA5510 : dynamic vpn problem

Thotsaphon Lueangwattanaphong
Level 7
Level 7

‎11-01-2008 07:38 AM

hi all,

I'm using ASA5510 and Zyxel routers to do site-to-site vpn. Because all of Zyxel routers are using ADSL(dynamic IP address). I decided to use dynamic vpn on the ASA. The serious problem is that when the tunnels have been built and then some tunnel will be brought down . I tried to debug. The messages are as follows:

Oct 29 13:27:16 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x62b09b4d

Oct 29 13:27:16 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE RECEIVED Message (msgid=ee723a0d) with payloads : HDR + HASH (8) + DELETE (1

2) + NONE (0) total length : 76

Oct 29 13:27:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, processing hash payload

Oct 29 13:27:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, processing delete

Oct 29 13:27:16 [IKEv1]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, Connection terminated for peer DefaultL2LGroup. Reason: Peer

Terminate Remote Proxy N/A, Local Proxy N/A

Oct 29 13:27:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, sending delete/delete with reason message

Oct 29 13:27:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, constructing blank hash payload

Oct 29 13:27:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, constructing IPSec delete payload

Oct 29 13:27:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, constructing qm hash payload

Oct 29 13:27:16 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE SENDING Message (msgid=507e92d8) with payloads : HDR + HASH (8) + DELETE (12

) + NONE (0) total length : 64

Oct 29 13:27:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, Active unit receives a delete event for remote peer xx.xx.xx.xx

Oct 29 13:27:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, IKE Deleting SA: Remote Proxy 192.3.11.0, Local Proxy 17

2.16.0.0

Oct 29 13:27:16 [IKEv1]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, Deleting static route for L2L peer that came in on a dynamic m

ap. address: 192.3.11.0, mask: 255.255.255.0

I'm not sure why the Zyxel sent the delete message to the ASA. Then ASA processes that message. As a result, The tunnel has to be re-built.

It always happens. Normally, it should not be a problem as long as the tunnel is still up and packets are being passed through the tunnel.

Please help.

Rgds

Toshi

Labels:
0 Helpful
1 Reply 1

Thotsaphon Lueangwattanaphong
Level 7
Level 7

‎11-03-2008 07:44 AM

hi again,

I just changed from ASA to ISR router(IOS Sec). Router did okay although it got lots of error messages. The tunnel is still up though.

F.e. Router Error.

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=y.y.y.y, prot=50, spi=0x28DA0254(685376084), srcaddr=x.x.x.x

I configured as this link,http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

Any idea?

Thanks in advance

Toshi

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents