12-06-2011 12:59 AM
Hi,
I have a Cisco 1841 router configured as Easy VPN Server. Here is the configuration of the router:
Cisco#
Cisco#show running-config
Building configuration... Current configuration : 6120 bytes!
! Last configuration change at 08:40:15 UTC Tue Dec 6 2011 by rootversion 15.1
service timestamps debug datetime msecservice timestamps log datetime msec
no service password-encryption!
hostname Cisco!
boot-start-markerboot-end-marker
!!
enable secret 5 $1$Xgf9$MKt1eImjyrmDwcYnbz0xZ/enable password 6y5t4r3e2w1q
!aaa new-model
!!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default localaaa authorization network ciscocp_vpn_group_ml_1 local
!!
!!
!aaa session-id common
!dot11 syslog
ip source-route!
!!
!!
ip cefno ipv6 cef
!multilink bundle-name authenticated
!crypto pki token default removal timeout 0
!crypto pki trustpoint TP-self-signed-947142914
enrollment selfsignedsubject-name cn=IOS-Self-Signed-Certificate-947142914
revocation-check nonersakeypair TP-self-signed-947142914
!!
crypto pki certificate chain TP-self-signed-947142914certificate self-signed 01
3082023B 308201A4 A0030201 02020101 300D0609 2A864886 F70D0101 0405003030312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 39343731 34123931 34301E17 0D313131 31313532 30353931325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 64234365 72746966 69636174 652D3934 3731343239313430 819F300D 06092A86 4886F70D 01010105 0003818D 00308689 02848100
B4C6CC16 5EA2210F D4A0234B 90D9E29C E1132F0D 491CC9BC F513EF57 A5986C31C03BC061 B3B4E103 0005F992 A7CA2605 8C46FCB2 C22AAC4B 739D1DC2 49EA3883
253D553C A1E7BD3A 26D49347 86414B11 5C03F4E6 A4BD5306 CD857F99 0A567B85FD639414 C2E25161 74A52A7B 32753F25 AE8FDC73 EC859EEC D8A1C9C4 D8A50EED
02030100 01A36530 63300F06 03551D13 0101FF04 05300301 01FF3010 0603551D11040930 07820543 6973636F 301F0603 551D2304 18301680 14414AD6 2A674283
54CC008C A6B81E1D 7A3B09A4 8C301D06 03551D0E 04160414 414AD62A 67428354CC008CA6 B81E1D7A 3B09A48C 300D0609 2A864886 F70D0101 04050003 8181007B
00264BAE A55C3CB0 20F83B46 A047F400 3B5748CA D8C64A49 5484FE1E 7588949FA8E5EBAE BE5FAD22 0C89FC92 671E0BB6 1155EB76 21E72F07 68F76AE3 2F0CB2C6
EC26A8C1 C3EA1300 CE284F9B 3E3F6BB9 7807CF63 8154BC4B AD33392E 68347E0B
F78AE625 818C3A4E 6E0302D8 26DF4890 08E42063 37BF9026 BF4E251D A86EEA
quit!
! username root privilege 15 password 0 6y5t4r3e2w1qusername admin secret 5 $1$78MV$Yc7sfwt5PoEm.eKmjPlKw1
username test privilege 15 password 0 test_123!
redundancy!
!!
crypto ctcp keepalive 8crypto ctcp port 443
!crypto isakmp policy 1
encr 3desauthentication pre-share
group 2crypto isakmp keepalive 20 6
!crypto isakmp client configuration group cisco
key 6y5t4r3e2w1qdns 8.8.8.8
domain cisco.compool SDM_POOL_client
max-users 1000netmask 255.255.255.0
!crypto isakmp client configuration group server_1
key 6y5t4r3e2w1qdns 8.8.8.8
domain cisco.compool SDM_POOL_server_1
netmask 255.255.255.0!
crypto isakmp client configuration group server_2key 6y5t4r3e2w1q
dns 8.8.8.8domain cisco.com
pool SDM_POOL_server_2netmask 255.255.255.0
!crypto isakmp client configuration group server_3
key 6y5t4r3e2w1qdns 8.8.8.8
domain cisco.compool SDM_POOL_server_3
netmask 255.255.255.0!
crypto isakmp client configuration group server_4key 6y5t4r3e2w1q
dns 8.8.8.8domain cisco.com
pool SDM_POOL_server_4netmask 255.255.255.0
!crypto isakmp client configuration group server_5
key 6y5t4r3e2w1qdns 8.8.8.8
domain cisco.compool SDM_POOL_server_5
netmask 255.255.255.0!
crypto isakmp client configuration group server_6key 6y5t4r3e2w1q
dns 8.8.8.8domain cisco.com
pool SDM_POOL_server_6netmask 255.255.255.0
!crypto isakmp client configuration group server_7
key 6y5t4r3e2w1qdns 8.8.8.8
domain cisco.compool SDM_POOL_server_7
netmask 255.255.255.0!
crypto isakmp client configuration group server_8
key 6y5t4r3e2w1qdns 8.8.8.8
domain cisco.compool SDM_POOL_server_8
netmask 255.255.255.0!
crypto isakmp client configuration group server_9key 6y5t4r3e2w1q
dns 8.8.8.8domain cisco.com
pool SDM_POOL_server_9netmask 255.255.255.0
!crypto isakmp client configuration group server_10
key 6y5t4r3e2w1qdns 8.8.8.8
domain cisco.compool SDM_POOL_server_10
netmask 255.255.255.0!
crypto ipsec security-association lifetime seconds 1800crypto ipsec security-association idle-time 86400
!crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHAreverse-route
!
!crypto map SDM_CMAP_1 local-address FastEthernet0/0
crypto map SDM_CMAP_1 client authentication list ciscocp_vpn_xauth_ml_1crypto map SDM_CMAP_1 isakmp authorization list ciscocp_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respondcrypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!!
!!
!interface Loopback0
ip address 172.16.0.1 255.255.255.255!
interface FastEthernet0/0ip address 192.168.1.130 255.255.255.0
ip flow ingressspeed auto
full-duplexno mop enabled
crypto map SDM_CMAP_1!
interface FastEthernet0/1
no ip addressshutdown
speed autofull-duplex
no mop enabled!
ip local pool SDM_POOL_client 10.10.10.51 10.10.10.190ip local pool SDM_POOL_server_1 10.10.10.1
ip local pool SDM_POOL_server_2 10.10.10.2ip local pool SDM_POOL_server_3 10.10.10.3
ip local pool SDM_POOL_server_4 10.10.10.4ip local pool SDM_POOL_server_5 10.10.10.5
ip local pool SDM_POOL_server_6 10.10.10.6ip local pool SDM_POOL_server_7 10.10.10.7
ip local pool SDM_POOL_server_8 10.10.10.8ip local pool SDM_POOL_server_9 10.10.10.9
ip local pool SDM_POOL_server_10 10.10.10.10ip forward-protocol nd
ip http serverip http authentication local
ip http secure-server!
!ip route 0.0.0.0 0.0.0.0 192.168.1.1
!logging esm config
access-list 100 remark CCP_ACL Category=4access-list 100 permit ip 10.10.0.0 0.0.255.255 any
!!
!!
!!
!control-plane
!!
!line con 0
line aux 0line vty 0 4
password 6y5t4r3e2w1qtransport input telnet ssh
!scheduler allocate 20000 1000
end
I have a Centos 5.7 server with installed Cisco VPN client for Linux. The client successfully connects to the VPN server but after 15 minutes the connection is droped.
Here is the configuration file of the Cisco VPN client:
[main]
Description=
Host=123.123.123.123
AuthType=1
GroupName=server_6
GroupPwd=
enc_GroupPwd=209416720617C5CB98F135AE75F22323DD2BBB8286114D242BE1BA95B80A57018609B62E7C56C105A71FDDCC0D6DB1670D8BDD6792A494A1
EnableISPConnect=0ISPConnectType=0
ISPConnect=
ISPPhonebook=
ISPCommand=
Username=testSaveUserPassword=0
UserPassword=enc_UserPassword=
NTDomain=EnableBackup=1
BackupServer=123.123.123.123EnableMSLogon=1
MSLogonType=0EnableNat=1
TunnelingMode=1TcpTunnelingPort=443
EnableLocalLAN=1ForceKeepAlives=1
CertStore=0CertName=
CertPath=CertSubjectName=
CertSerialHash=00000000000000000000000000000000SendCertChain=0
PeerTimeout=480EnableLocalLAN=1
ertSubjectName=CertSerialHash=00000000000000000000000000000000
SendCertChain=0PeerTimeout=480
EnableLocalLAN=1rtSubjectName=
CertSerialHash=00000000000000000000000000000000SendCertChain=0
PeerTimeout=480EnableLocalLAN=1
And here is the log file of the of the client: see the attached file
The client allways disconnects after ~ 15:25 minutes.
I'm sure that I made a mistake into the configuration. I need to configure the client to keep the VPN connection infinite. Can you help me to fix the problem.
Best wishes
Peter
p.s this is the output from the router's monitoring terminal
*Dec 6 11:25:49.669: cTCP: Handshake done with 212.39.64.67:48437, packet came thru!
*Dec 6 11:25:49.669: cTCP: DATA from 212.39.64.67:48437
*Dec 6 11:26:16.645: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.1.130, prot=50, spi=0x48B4A4F5(1219798261), srcaddr=78.130.133.76, input interface=FastEthernet0/0
Cisco#
Cisco#
Cisco#
Cisco#
*Dec 6 11:27:16.977: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.1.130, prot=50, spi=0x48B4A4F5(1219798261), srcaddr=78.130.133.76, input interface=FastEthernet0/0
*Dec 6 11:28:17.333: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.1.130, prot=50, spi=0x48B4A4F5(1219798261), srcaddr=78.130.133.76, input interface=FastEthernet0/0
*Dec 6 11:29:17.645: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.1.130, prot=50, spi=0x48B4A4F5(1219798261), srcaddr=78.130.133.76, input interface=FastEthernet0/0
*Dec 6 11:30:17.953: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.1.130, prot=50, spi=0x48B4A4F5(1219798261), srcaddr=78.130.133.76, input interface=FastEthernet0/0
*Dec 6 11:30:50.645: cTCP: Connection[6835B330] 212.39.64.67:48437 192.168.1.130:443: found
*Dec 6 11:30:50.645: cTCP: Handshake done with 212.39.64.67:48437, packet came thru!
*Dec 6 11:30:50.645: cTCP: DATA from 212.39.64.67:48437
*Dec 6 11:31:18.281: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.1.130, prot=50, spi=0x48B4A4F5(1219798261), srcaddr=78.130.133.76, input interface=FastEthernet0/0
*Dec 6 11:31:28.209: cTCP: Connection[6835B330] 212.39.64.67:48437 192.168.1.130:443: found
*Dec 6 11:31:28.209: cTCP: updating PEER Seq number to 101040C
*Dec 6 11:31:28.209: cTCP: Pak with contiguous buffer
*Dec 6 11:31:28.209: cTCP: mangling IKE packet from peer: 212.39.64.67:30506->48437 192.168.1.130:500->500
*Dec 6 11:31:28.209: cTCP: Connection[6835B330] 212.39.64.67:48437 192.168.1.130:443: found
*Dec 6 11:31:28.209: cTCP: updating PEER Seq number to 1010478
*Dec 6 11:31:28.209: cTCP: Pak with contiguous buffer
*Dec 6 11:31:28.209: cTCP: mangling IKE packet from peer: 212.39.64.67:30506->48437 192.168.1.130:500->500
*Dec 6 11:31:28.217: cTCP: demangling outbound IKE packet: 192.168.1.130:500->500 212.39.64.67:48437->30506
*Dec 6 11:31:28.217: cTCP: encapsulating IKE packet
*Dec 6 11:31:28.217: cTCP: updating LOCAL Seq number to AB07440C
*Dec 6 11:31:28.221: cTCP: Sending (AB07440C)RST(1010479) to 212.39.64.67:48437
*Dec 6 11:31:28.221: cTCP: Connection[6835B330] 212.39.64.67:48437 192.168.1.130:443: successfully removed
*Dec 6 11:31:28.225: cTCP: Connection[0] 212.39.64.67:48437 192.168.1.130:443: NOT found
*Dec 6 11:31:28.225: cTCP: Packet [212.39.64.67:48437 192.168.1.130:443:], no existing connection
*Dec 6 11:32:18.609: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.1.130, prot=50, spi=0x48B4A4F5(1219798261), srcaddr=78.130.133.76, input interface=FastEthernet0/0
Cisco#
*Dec 6 14:35:12.939: cTCP: Connection[674025BC] 212.39.64.67:13728 192.168.1.130:443: found
*Dec 6 14:35:12.939: cTCP: updating PEER Seq number to 100334E
*Dec 6 14:35:12.939: cTCP: Pak with contiguous buffer
*Dec 6 14:35:12.939: cTCP: mangling IKE packet from peer: 212.39.64.67:500->13728 192.168.1.130:500->500
*Dec 6 14:35:12.943: ISAKMP (0): received packet from 212.39.64.67 dport 500 sport 13728 Global (N) NEW SA
*Dec 6 14:35:12.943: ISAKMP: Found a peer struct for 212.39.64.67, peer port 13728
*Dec 6 14:35:12.943: ISAKMP: Locking peer struct 0x66DB5ADC, refcount 2 for crypto_isakmp_process_block
*Dec 6 14:35:12.943: ISAKMP:(0):(Re)Setting client xauth list ciscocp_vpn_xauth_ml_1 and state
*Dec 6 14:35:12.943: ISAKMP/xauth: initializing AAA request
*Dec 6 14:35:12.943: ISAKMP: local port 500, remote port 13728
*Dec 6 14:35:12.943: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 68281FF8
*Dec 6 14:35:12.943: ISAKMP:(0): processing SA payload. message ID = 0
*Dec 6 14:35:12.943: ISAKMP:(0): processing ID payload. message ID = 0
*Dec 6 14:35:12.943: ISAKMP (0): ID payload
next-payload : 13
type : 11
group id : server_6
protocol : 17
port : 500
length : 16
*Dec 6 14:35:12.943: ISAKMP:(0):: peer matches *none* of the profiles
*Dec 6 14:35:12.943: ISAKMP:(0): processing vendor id payload
*Dec 6 14:35:12.943: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
*Dec 6 14:35:12.943: ISAKMP:(0): vendor ID is XAUTH
*Dec 6 14:35:12.943: ISAKMP:(0): processing vendor id payload
*Dec 6 14:35:12.943: ISAKMP:(0): vendor ID is DPD
*Dec 6 14:35:12.943: ISAKMP:(0): processing vendor id payload
*Dec 6 14:35:12.947: ISAKMP:(0): processing IKE frag vendor id payload
*Dec 6 14:35:12.947: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Dec 6 14:35:12.947: ISAKMP:(0): processing vendor id payload
*Dec 6 14:35:12.947: ISAKMP:(0): vendor ID is Unity
*Dec 6 14:35:12.947: ISAKMP:(0): local preshared key found
*Dec 6 14:35:12.947: ISAKMP:(0): Authentication by xauth preshared
*Dec 6 14:35:12.947: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Dec 6 14:35:12.947: ISAKMP: encryption 3DES-CBC
*Dec 6 14:35:12.947: ISAKMP: hash SHA
*Dec 6 14:35:12.947: ISAKMP: default group 2
*Dec 6 14:35:12.947: ISAKMP: auth XAUTHInitPreShared
*Dec 6 14:35:12.947: ISAKMP: life type in seconds
*Dec 6 14:35:12.947: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Dec 6 14:35:12.947: ISAKMP:(0):atts are acceptable. Next payload is 0
*Dec 6 14:35:12.947: ISAKMP:(0):Acceptable atts:actual life: 180
*Dec 6 14:35:12.947: ISAKMP:(0):Acceptable atts:life: 0
*Dec 6 14:35:12.947: ISAKMP:(0):Fill atts in sa vpi_length:4
*Dec 6 14:35:12.947: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483
*Dec 6 14:35:12.947: ISAKMP:(0):Returning Actual lifetime: 180
*Dec 6 14:35:12.947: ISAKMP:(0)::Started lifetime timer: 180.
*Dec 6 14:35:12.947: ISAKMP:(0): processing KE payload. message ID = 0
*Dec 6 14:35:13.019: ISAKMP:(0): processing NONCE payload. message ID = 0
*Dec 6 14:35:13.023: ISAKMP:(1019):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
*Dec 6 14:35:13.023: ISAKMP (1019): ID payload
next-payload : 10
type : 1
address : 192.168.1.130
protocol : 0
port : 0
length : 12
*Dec 6 14:35:13.023: ISAKMP:(1019):Total payload length: 12
*Dec 6 14:35:13.023: ISAKMP:(1019): sending packet to 212.39.64.67 my_port 500 peer_port 13728 (R) AG_INIT_EXCH
*Dec 6 14:35:13.023: ISAKMP:(1019):Sending an IKE IPv4 Packet.
*Dec 6 14:35:13.023: cTCP: demangling outbound IKE packet: 192.168.1.130:500->500 212.39.64.67:13728->500
*Dec 6 14:35:13.023: cTCP: encapsulating IKE packet
*Dec 6 14:35:13.023: cTCP: updating LOCAL Seq number to 34A69CCF
*Dec 6 14:35:13.023: ISAKMP:(1019):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Dec 6 14:35:13.023: ISAKMP:(1019):Old State = IKE_READY New State = IKE_R_AM2
*Dec 6 14:35:13.039: cTCP: Connection[674025BC] 212.39.64.67:13728 192.168.1.130:443: found
*Dec 6 14:35:13.039: cTCP: updating PEER Seq number to 10033C2
*Dec 6 14:35:13.039: cTCP: Pak with contiguous buffer
*Dec 6 14:35:13.039: cTCP: mangling IKE packet from peer: 212.39.64.67:500->13728 192.168.1.130:500->500
*Dec 6 14:35:13.039: cTCP: sending gratuitous ack
*Dec 6 14:35:13.039: cTCP: Sending (34A69CCF)ACK(10033C3) to 212.39.64.67:13728
*Dec 6 14:35:13.043: ISAKMP (1019): received packet from 212.39.64.67 dport 500 sport 13728 Global (R) AG_INIT_EXCH
*Dec 6 14:35:13.043: ISAKMP:(1019): processing HASH payload. message ID = 0
*Dec 6 14:35:13.043: ISAKMP:(1019):SA authentication status:
authenticated
*Dec 6 14:35:13.043: ISAKMP:(1019):SA has been authenticated with 212.39.64.67
*Dec 6 14:35:13.043: ISAKMP:(1019):Returning Actual lifetime: 180
*Dec 6 14:35:13.043: ISAKMP: set new node -557819266 to CONF_XAUTH
*Dec 6 14:35:13.043: ISAKMP:(1019):Sending NOTIFY RESPONDER_LIFETIME protocol 1
spi 1736728448, message ID = 3737148030
*Dec 6 14:35:13.043: ISAKMP:(1019): sending packet to 212.39.64.67 my_port 500 peer_port 13728 (R) QM_IDLE
*Dec 6 14:35:13.043: ISAKMP:(1019):Sending an IKE IPv4 Packet.
*Dec 6 14:35:13.043: cTCP: demangling outbound IKE packet: 192.168.1.130:500->500 212.39.64.67:13728->500
*Dec 6 14:35:13.043: cTCP: encapsulating IKE packet
*Dec 6 14:35:13.043: cTCP: updating LOCAL Seq number to 34A69D43
*Dec 6 14:35:13.043: ISAKMP:(1019):purging node -557819266
*Dec 6 14:35:13.047: ISAKMP: Sending phase 1 responder lifetime 180
*Dec 6 14:35:13.047: ISAKMP:(1019):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Dec 6 14:35:13.047: ISAKMP:(1019):Old State = IKE_R_AM2 New State = IKE_P1_COMPLETE
*Dec 6 14:35:13.047: ISAKMP:(1019):Need XAUTH
*Dec 6 14:35:13.047: ISAKMP: set new node -558007585 to CONF_XAUTH
*Dec 6 14:35:13.047: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
*Dec 6 14:35:13.047: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
*Dec 6 14:35:13.047: ISAKMP:(1019): initiating peer config to 212.39.64.67. ID = 3736959711
*Dec 6 14:35:13.047: ISAKMP:(1019): sending packet to 212.39.64.67 my_port 500 peer_port 13728 (R) CONF_XAUTH
*Dec 6 14:35:13.047: ISAKMP:(1019):Sending an IKE IPv4 Packet.
*Dec 6 14:35:13.047: cTCP: demangling outbound IKE packet: 192.168.1.130:500->500 212.39.64.67:13728->500
*Dec 6 14:35:13.047: cTCP: encapsulating IKE packet
*Dec 6 14:35:13.047: cTCP: updating LOCAL Seq number to 34A69DA7
*Dec 6 14:35:13.047: ISAKMP:(1019):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Dec 6 14:35:13.051: ISAKMP:(1019):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT
*Dec 6 14:35:28.047: ISAKMP:(1019): retransmitting phase 2 CONF_XAUTH -558007585 ...
*Dec 6 14:35:28.047: ISAKMP (1019): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
*Dec 6 14:35:28.047: ISAKMP (1019): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
*Dec 6 14:35:28.047: ISAKMP:(1019): retransmitting phase 2 -558007585 CONF_XAUTH
*Dec 6 14:35:28.047: ISAKMP:(1019): sending packet to 212.39.64.67 my_port 500 peer_port 13728 (R) CONF_XAUTH
*Dec 6 14:35:28.047: ISAKMP:(1019):Sending an IKE IPv4 Packet.
*Dec 6 14:35:28.047: cTCP: demangling outbound IKE packet: 192.168.1.130:500->500 212.39.64.67:13728->500
*Dec 6 14:35:28.047: cTCP: encapsulating IKE packet
*Dec 6 14:35:28.047: cTCP: updating LOCAL Seq number to 34A69E0B
*Dec 6 14:35:29.059: cTCP: Connection[674025BC] 212.39.64.67:13728 192.168.1.130:443: found
*Dec 6 14:35:29.059: cTCP: updating PEER Seq number to 100342E
*Dec 6 14:35:29.059: cTCP: Pak with contiguous buffer
*Dec 6 14:35:29.059: cTCP: mangling IKE packet from peer: 212.39.64.67:500->13728 192.168.1.130:500->500
*Dec 6 14:35:29.059: ISAKMP (1019): received packet from 212.39.64.67 dport 500 sport 13728 Global (R) CONF_XAUTH
*Dec 6 14:35:29.059: ISAKMP: set new node -150968825 to CONF_XAUTH
*Dec 6 14:35:29.063: ISAKMP:(1019): processing HASH payload. message ID = 4143998471
*Dec 6 14:35:29.063: ISAKMP:received payload type 18
*Dec 6 14:35:29.063: ISAKMP:(1019):Processing delete with reason payload
*Dec 6 14:35:29.063: ISAKMP:(1019):delete doi = 0
*Dec 6 14:35:29.063: ISAKMP:(1019):delete protocol id = 1
*Dec 6 14:35:29.063: ISAKMP:(1019):delete spi_size = 16
*Dec 6 14:35:29.063: ISAKMP:(1019):delete num spis = 1
*Dec 6 14:35:29.063: ISAKMP:(1019):delete_reason = 2
*Dec 6 14:35:29.063: ISAKMP:(1019): processing DELETE_WITH_REASON payload, message ID = 4143998471, reason: DELETE_BY_USER_COMMAND
*Dec 6 14:35:29.063: ISAKMP:(1019):peer does not do paranoid keepalives.
*Dec 6 14:35:29.063: ISAKMP:(1019):peer does not do paranoid keepalives.
*Dec 6 14:35:29.063: ISAKMP:(1019):deleting SA reason "BY user command" state (R) CONF_XAUTH (peer 212.39.64.67)
*Dec 6 14:35:29.063: ISAKMP:(1019):deleting node -150968825 error FALSE reason "Informational (in) state 1"
*Dec 6 14:35:29.063: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Dec 6 14:35:29.063: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
*Dec 6 14:35:29.063: IPSEC(key_engine_delete_sas): delete all SAs shared with peer 212.39.64.67
*Dec 6 14:35:29.063: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 192.168.1.130, sa_proto= 50,
sa_spi= 0xB01FC304(2954871556),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2017
sa_lifetime(k/sec)= (4453368/86400),
(identity) local= 192.168.1.130:0, remote= 212.39.64.67:0,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 10.10.10.6/255.255.255.255/0/0 (type=1)
*Dec 6 14:35:29.067: IPSEC(update_current_outbound_sa): updated peer 212.39.64.67 current outbound sa to SPI 0
*Dec 6 14:35:29.067: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 212.39.64.67, sa_proto= 50,
sa_spi= 0x3A900DA4(982519204),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2018
sa_lifetime(k/sec)= (4453368/86400),
(identity) local= 192.168.1.130:0, remote= 212.39.64.67:0,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 10.10.10.6/255.255.255.255/0/0 (type=1)
*Dec 6 14:35:29.067: IPSEC(rte_mgr): VPN Route Event Deleting dynamic maps for peer 212.39.64.67
*Dec 6 14:35:29.067: IPSEC(rte_mgr): VPN Route Refcount 0 FastEthernet0/0
*Dec 6 14:35:29.067: IPSEC(rte_mgr): VPN Route Removed 10.10.10.6 255.255.255.255 via 212.39.64.67 in IP DEFAULT TABLE FastEthernet0/0
*Dec 6 14:35:29.067: ISAKMP: set new node 1474349902 to CONF_XAUTH
*Dec 6 14:35:29.067: ISAKMP:(1019): sending packet to 212.39.64.67 my_port 500 peer_port 13728 (R) CONF_XAUTH
*Dec 6 14:35:29.067: ISAKMP:(1019):Sending an IKE IPv4 Packet.
*Dec 6 14:35:29.067: cTCP: demangling outbound IKE packet: 192.168.1.130:500->500 212.39.64.67:13728->500
*Dec 6 14:35:29.071: cTCP: encapsulating IKE packet
*Dec 6 14:35:29.071: cTCP: updating LOCAL Seq number to 34A69E77
*Dec 6 14:35:29.071: ISAKMP:(1019):purging node 1474349902
*Dec 6 14:35:29.071: ISAKMP:(1019):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Dec 6 14:35:29.071: ISAKMP:(1019):Old State = IKE_XAUTH_REQ_SENT New State = IKE_DEST_SA
*Dec 6 14:35:29.071: ISAKMP:(1019):deleting SA reason "BY user command" state (R) CONF_XAUTH (peer 212.39.64.67)
*Dec 6 14:35:29.075: ISAKMP: Unlocking peer struct 0x66DB5ADC for isadb_mark_sa_deleted(), count 1
*Dec 6 14:35:29.075: ISAKMP:(1019):deleting node -558007585 error FALSE reason "IKE deleted"
*Dec 6 14:35:29.075: ISAKMP:(1019):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 6 14:35:29.075: ISAKMP:(1019):Old State = IKE_DEST_SA New State = IKE_DEST_SA
*Dec 6 14:35:48.343: ISAKMP:(1018):peer does not do paranoid keepalives.
*Dec 6 14:35:48.343: ISAKMP:(1018):peer does not do paranoid keepalives.
*Dec 6 14:35:48.343: ISAKMP:(1018):deleting SA reason "IKE SA Lifetime Exceeded" state (R) QM_IDLE (peer 212.39.64.67)
*Dec 6 14:35:48.343: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Dec 6 14:35:48.343: IPSec: Key engine got a KEY_MGR_CHECK_MORE_SAS message
*Dec 6 14:35:48.343: ISAKMP (1018): IPSec has no more SA's with this peer. Won't keepalive phase 1.
*Dec 6 14:35:48.343: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Dec 6 14:35:48.343: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
*Dec 6 14:35:48.343: IPSEC(key_engine_delete_sas): delete all SAs shared with peer 212.39.64.67
*Dec 6 14:35:48.343: ISAKMP: set new node 663093 to CONF_XAUTH
*Dec 6 14:35:48.343: ISAKMP:(1018): sending packet to 212.39.64.67 my_port 500 peer_port 13728 (R) QM_IDLE
*Dec 6 14:35:48.343: ISAKMP:(1018):Sending an IKE IPv4 Packet.
*Dec 6 14:35:48.343: cTCP: demangling outbound IKE packet: 192.168.1.130:500->500 212.39.64.67:13728->500
*Dec 6 14:35:48.347: cTCP: encapsulating IKE packet
*Dec 6 14:35:48.347: cTCP: updating LOCAL Seq number to 34A69EE3
*Dec 6 14:35:48.347: ISAKMP:(1018):purging node 663093
*Dec 6 14:35:48.347: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Dec 6 14:35:48.347: ISAKMP:(1018):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*Dec 6 14:35:48.347: ISAKMP:(1018):deleting SA reason "IKE SA Lifetime Exceeded" state (R) QM_IDLE (peer 212.39.64.67)
*Dec 6 14:35:48.347: ISAKMP (1018): returning address 10.10.10.6 to pool
*Dec 6 14:35:48.347: ISAKMP: Unlocking peer struct 0x66DB5ADC for isadb_mark_sa_deleted(), count 0
*Dec 6 14:35:48.347: ISAKMP: returning address 10.10.10.6 to pool
*Dec 6 14:35:48.347: cTCP: Sending (34A69EE3)RST(100342F) to 212.39.64.67:13728
*Dec 6 14:35:48.351: cTCP: Connection[674025BC] 212.39.64.67:13728 192.168.1.130:443: successfully removed
*Dec 6 14:35:48.351: ISAKMP: Deleting peer node by peer_reap for 212.39.64.67: 66DB5ADC
*Dec 6 14:35:48.351: ISAKMP: returning address 10.10.10.6 to pool
*Dec 6 14:35:48.351: ISAKMP:(1018):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 6 14:35:48.351: ISAKMP:(1018):Old State = IKE_DEST_SA New State = IKE_DEST_SA
*Dec 6 14:35:48.351: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Dec 6 14:35:49.355: cTCP: Connection[0] 212.39.64.67:13728 192.168.1.130:443: NOT found
*Dec 6 14:35:49.355: cTCP: Packet [212.39.64.67:13728 192.168.1.130:443:], no existing connection
Cisco#
every time after 15:26 minutes the connection is terminated? Any idea how to fix the problem?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide