Cisco VPN server and client - connection drop

derleader111 · ‎12-06-2011

Hi,

I have a Cisco 1841 router configured as Easy VPN Server. Here is the configuration of the router:

Cisco#

Cisco#show running-config

Building configuration... Current configuration : 6120 bytes

!

! Last configuration change at 08:40:15 UTC Tue Dec 6 2011 by root

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Cisco

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$Xgf9$MKt1eImjyrmDwcYnbz0xZ/

enable password 6y5t4r3e2w1q

!

aaa new-model

!

aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

aaa session-id common

!

dot11 syslog

ip source-route

!

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-947142914

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-947142914

revocation-check none

rsakeypair TP-self-signed-947142914

!

crypto pki certificate chain TP-self-signed-947142914

certificate self-signed 01

3082023B 308201A4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 39343731 34123931 34301E17 0D313131 31313532 30353931

325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

532D5365 6C662D53 69676E65 64234365 72746966 69636174 652D3934 37313432

39313430 819F300D 06092A86 4886F70D 01010105 0003818D 00308689 02848100

B4C6CC16 5EA2210F D4A0234B 90D9E29C E1132F0D 491CC9BC F513EF57 A5986C31

C03BC061 B3B4E103 0005F992 A7CA2605 8C46FCB2 C22AAC4B 739D1DC2 49EA3883

253D553C A1E7BD3A 26D49347 86414B11 5C03F4E6 A4BD5306 CD857F99 0A567B85

FD639414 C2E25161 74A52A7B 32753F25 AE8FDC73 EC859EEC D8A1C9C4 D8A50EED

02030100 01A36530 63300F06 03551D13 0101FF04 05300301 01FF3010 0603551D

11040930 07820543 6973636F 301F0603 551D2304 18301680 14414AD6 2A674283

54CC008C A6B81E1D 7A3B09A4 8C301D06 03551D0E 04160414 414AD62A 67428354

CC008CA6 B81E1D7A 3B09A48C 300D0609 2A864886 F70D0101 04050003 8181007B

00264BAE A55C3CB0 20F83B46 A047F400 3B5748CA D8C64A49 5484FE1E 7588949F

A8E5EBAE BE5FAD22 0C89FC92 671E0BB6 1155EB76 21E72F07 68F76AE3 2F0CB2C6

EC26A8C1 C3EA1300 CE284F9B 3E3F6BB9 7807CF63 8154BC4B AD33392E 68347E0B
F78AE625 818C3A4E 6E0302D8 26DF4890 08E42063 37BF9026 BF4E251D A86EEA
quit

!

! username root privilege 15 password 0 6y5t4r3e2w1q

username admin secret 5 $1$78MV$Yc7sfwt5PoEm.eKmjPlKw1

username test privilege 15 password 0 test_123

!

redundancy

!

crypto ctcp keepalive 8

crypto ctcp port 443

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp keepalive 20 6

!

crypto isakmp client configuration group cisco

key 6y5t4r3e2w1q

dns 8.8.8.8

domain cisco.com

pool SDM_POOL_client

max-users 1000

netmask 255.255.255.0

!

crypto isakmp client configuration group server_1

key 6y5t4r3e2w1q

dns 8.8.8.8

domain cisco.com

pool SDM_POOL_server_1

netmask 255.255.255.0

!

crypto isakmp client configuration group server_2

key 6y5t4r3e2w1q

dns 8.8.8.8

domain cisco.com

pool SDM_POOL_server_2

netmask 255.255.255.0

!

crypto isakmp client configuration group server_3

key 6y5t4r3e2w1q

dns 8.8.8.8

domain cisco.com

pool SDM_POOL_server_3

netmask 255.255.255.0

!

crypto isakmp client configuration group server_4

key 6y5t4r3e2w1q

dns 8.8.8.8

domain cisco.com

pool SDM_POOL_server_4

netmask 255.255.255.0

!

crypto isakmp client configuration group server_5

key 6y5t4r3e2w1q

dns 8.8.8.8

domain cisco.com

pool SDM_POOL_server_5

netmask 255.255.255.0

!

crypto isakmp client configuration group server_6

key 6y5t4r3e2w1q

dns 8.8.8.8

domain cisco.com

pool SDM_POOL_server_6

netmask 255.255.255.0

!

crypto isakmp client configuration group server_7

key 6y5t4r3e2w1q

dns 8.8.8.8

domain cisco.com

pool SDM_POOL_server_7

netmask 255.255.255.0

!

crypto isakmp client configuration group server_8
key 6y5t4r3e2w1q

dns 8.8.8.8

domain cisco.com

pool SDM_POOL_server_8

netmask 255.255.255.0

!

crypto isakmp client configuration group server_9

key 6y5t4r3e2w1q

dns 8.8.8.8

domain cisco.com

pool SDM_POOL_server_9

netmask 255.255.255.0

!

crypto isakmp client configuration group server_10

key 6y5t4r3e2w1q

dns 8.8.8.8

domain cisco.com

pool SDM_POOL_server_10

netmask 255.255.255.0

!

crypto ipsec security-association lifetime seconds 1800

crypto ipsec security-association idle-time 86400

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA

reverse-route

!
!

crypto map SDM_CMAP_1 local-address FastEthernet0/0

crypto map SDM_CMAP_1 client authentication list ciscocp_vpn_xauth_ml_1

crypto map SDM_CMAP_1 isakmp authorization list ciscocp_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

interface Loopback0

ip address 172.16.0.1 255.255.255.255

!

interface FastEthernet0/0

ip address 192.168.1.130 255.255.255.0

ip flow ingress

speed auto

full-duplex

no mop enabled

crypto map SDM_CMAP_1

!

interface FastEthernet0/1
no ip address

shutdown

speed auto

full-duplex

no mop enabled

!

ip local pool SDM_POOL_client 10.10.10.51 10.10.10.190

ip local pool SDM_POOL_server_1 10.10.10.1

ip local pool SDM_POOL_server_2 10.10.10.2

ip local pool SDM_POOL_server_3 10.10.10.3

ip local pool SDM_POOL_server_4 10.10.10.4

ip local pool SDM_POOL_server_5 10.10.10.5

ip local pool SDM_POOL_server_6 10.10.10.6

ip local pool SDM_POOL_server_7 10.10.10.7

ip local pool SDM_POOL_server_8 10.10.10.8

ip local pool SDM_POOL_server_9 10.10.10.9

ip local pool SDM_POOL_server_10 10.10.10.10

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 192.168.1.1

!

logging esm config

access-list 100 remark CCP_ACL Category=4

access-list 100 permit ip 10.10.0.0 0.0.255.255 any

!

control-plane

!

line con 0

line aux 0

line vty 0 4

password 6y5t4r3e2w1q

transport input telnet ssh

!

scheduler allocate 20000 1000

end

I have a Centos 5.7 server with installed Cisco VPN client for Linux. The client successfully connects to the VPN server but after 15 minutes the connection is droped.

Here is the configuration file of the Cisco VPN client:

[main]
Description=
Host=123.123.123.123
AuthType=1
GroupName=server_6
GroupPwd=
enc_GroupPwd=209416720617C5CB98F135AE75F22323DD2BBB8286114D242BE1BA95B80A57018609B62E7C56C105A71FDDCC0D6DB1670D8BDD6792A494A1EnableISPConnect=0
ISPConnectType=0
ISPConnect=
ISPPhonebook=
ISPCommand=Username=test
SaveUserPassword=0UserPassword=
enc_UserPassword=NTDomain=
EnableBackup=1BackupServer=123.123.123.123
EnableMSLogon=1MSLogonType=0
EnableNat=1TunnelingMode=1
TcpTunnelingPort=443EnableLocalLAN=1
ForceKeepAlives=1CertStore=0
CertName=CertPath=
CertSubjectName=CertSerialHash=00000000000000000000000000000000
SendCertChain=0PeerTimeout=480
EnableLocalLAN=1ertSubjectName=
CertSerialHash=00000000000000000000000000000000SendCertChain=0
PeerTimeout=480EnableLocalLAN=1
rtSubjectName=CertSerialHash=00000000000000000000000000000000
SendCertChain=0PeerTimeout=480
EnableLocalLAN=1

And here is the log file of the of the client: see the attached file

The client allways disconnects after ~ 15:25 minutes.

I'm sure that I made a mistake into the configuration. I need to configure the client to keep the VPN connection infinite. Can you help me to fix the problem.

Best wishes

Peter

p.s this is the output from the router's monitoring terminal

*Dec 6 11:25:49.669: cTCP: Handshake done with 212.39.64.67:48437, packet came thru!

*Dec 6 11:25:49.669: cTCP: DATA from 212.39.64.67:48437

*Dec 6 11:26:16.645: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.1.130, prot=50, spi=0x48B4A4F5(1219798261), srcaddr=78.130.133.76, input interface=FastEthernet0/0

Cisco#

*Dec 6 11:27:16.977: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.1.130, prot=50, spi=0x48B4A4F5(1219798261), srcaddr=78.130.133.76, input interface=FastEthernet0/0

*Dec 6 11:28:17.333: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.1.130, prot=50, spi=0x48B4A4F5(1219798261), srcaddr=78.130.133.76, input interface=FastEthernet0/0

*Dec 6 11:29:17.645: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.1.130, prot=50, spi=0x48B4A4F5(1219798261), srcaddr=78.130.133.76, input interface=FastEthernet0/0

*Dec 6 11:30:17.953: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.1.130, prot=50, spi=0x48B4A4F5(1219798261), srcaddr=78.130.133.76, input interface=FastEthernet0/0

*Dec 6 11:30:50.645: cTCP: Connection[6835B330] 212.39.64.67:48437 192.168.1.130:443: found

*Dec 6 11:30:50.645: cTCP: Handshake done with 212.39.64.67:48437, packet came thru!

*Dec 6 11:30:50.645: cTCP: DATA from 212.39.64.67:48437

*Dec 6 11:31:18.281: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.1.130, prot=50, spi=0x48B4A4F5(1219798261), srcaddr=78.130.133.76, input interface=FastEthernet0/0

*Dec 6 11:31:28.209: cTCP: Connection[6835B330] 212.39.64.67:48437 192.168.1.130:443: found

*Dec 6 11:31:28.209: cTCP: updating PEER Seq number to 101040C

*Dec 6 11:31:28.209: cTCP: Pak with contiguous buffer

*Dec 6 11:31:28.209: cTCP: mangling IKE packet from peer: 212.39.64.67:30506->48437 192.168.1.130:500->500

*Dec 6 11:31:28.209: cTCP: Connection[6835B330] 212.39.64.67:48437 192.168.1.130:443: found

*Dec 6 11:31:28.209: cTCP: updating PEER Seq number to 1010478

*Dec 6 11:31:28.209: cTCP: Pak with contiguous buffer

*Dec 6 11:31:28.209: cTCP: mangling IKE packet from peer: 212.39.64.67:30506->48437 192.168.1.130:500->500

*Dec 6 11:31:28.217: cTCP: demangling outbound IKE packet: 192.168.1.130:500->500 212.39.64.67:48437->30506

*Dec 6 11:31:28.217: cTCP: encapsulating IKE packet

*Dec 6 11:31:28.217: cTCP: updating LOCAL Seq number to AB07440C

*Dec 6 11:31:28.221: cTCP: Sending (AB07440C)RST(1010479) to 212.39.64.67:48437

*Dec 6 11:31:28.221: cTCP: Connection[6835B330] 212.39.64.67:48437 192.168.1.130:443: successfully removed

*Dec 6 11:31:28.225: cTCP: Connection[0] 212.39.64.67:48437 192.168.1.130:443: NOT found

*Dec 6 11:31:28.225: cTCP: Packet [212.39.64.67:48437 192.168.1.130:443:], no existing connection

*Dec 6 11:32:18.609: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.1.130, prot=50, spi=0x48B4A4F5(1219798261), srcaddr=78.130.133.76, input interface=FastEthernet0/0

Cisco#

*Dec 6 14:35:12.939: cTCP: Connection[674025BC] 212.39.64.67:13728 192.168.1.130:443: found

*Dec 6 14:35:12.939: cTCP: updating PEER Seq number to 100334E

*Dec 6 14:35:12.939: cTCP: Pak with contiguous buffer

*Dec 6 14:35:12.939: cTCP: mangling IKE packet from peer: 212.39.64.67:500->13728 192.168.1.130:500->500

*Dec 6 14:35:12.943: ISAKMP (0): received packet from 212.39.64.67 dport 500 sport 13728 Global (N) NEW SA

*Dec 6 14:35:12.943: ISAKMP: Found a peer struct for 212.39.64.67, peer port 13728

*Dec 6 14:35:12.943: ISAKMP: Locking peer struct 0x66DB5ADC, refcount 2 for crypto_isakmp_process_block

*Dec 6 14:35:12.943: ISAKMP:(0):(Re)Setting client xauth list ciscocp_vpn_xauth_ml_1 and state

*Dec 6 14:35:12.943: ISAKMP/xauth: initializing AAA request

*Dec 6 14:35:12.943: ISAKMP: local port 500, remote port 13728

*Dec 6 14:35:12.943: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 68281FF8

*Dec 6 14:35:12.943: ISAKMP:(0): processing SA payload. message ID = 0

*Dec 6 14:35:12.943: ISAKMP:(0): processing ID payload. message ID = 0

*Dec 6 14:35:12.943: ISAKMP (0): ID payload

next-payload : 13

type : 11

group id : server_6

protocol : 17

port : 500

length : 16

*Dec 6 14:35:12.943: ISAKMP:(0):: peer matches *none* of the profiles

*Dec 6 14:35:12.943: ISAKMP:(0): processing vendor id payload

*Dec 6 14:35:12.943: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch

*Dec 6 14:35:12.943: ISAKMP:(0): vendor ID is XAUTH

*Dec 6 14:35:12.943: ISAKMP:(0): processing vendor id payload

*Dec 6 14:35:12.943: ISAKMP:(0): vendor ID is DPD

*Dec 6 14:35:12.943: ISAKMP:(0): processing vendor id payload

*Dec 6 14:35:12.947: ISAKMP:(0): processing IKE frag vendor id payload

*Dec 6 14:35:12.947: ISAKMP:(0):Support for IKE Fragmentation not enabled

*Dec 6 14:35:12.947: ISAKMP:(0): processing vendor id payload

*Dec 6 14:35:12.947: ISAKMP:(0): vendor ID is Unity

*Dec 6 14:35:12.947: ISAKMP:(0): local preshared key found

*Dec 6 14:35:12.947: ISAKMP:(0): Authentication by xauth preshared

*Dec 6 14:35:12.947: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy

*Dec 6 14:35:12.947: ISAKMP: encryption 3DES-CBC

*Dec 6 14:35:12.947: ISAKMP: hash SHA

*Dec 6 14:35:12.947: ISAKMP: default group 2

*Dec 6 14:35:12.947: ISAKMP: auth XAUTHInitPreShared

*Dec 6 14:35:12.947: ISAKMP: life type in seconds

*Dec 6 14:35:12.947: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Dec 6 14:35:12.947: ISAKMP:(0):atts are acceptable. Next payload is 0

*Dec 6 14:35:12.947: ISAKMP:(0):Acceptable atts:actual life: 180

*Dec 6 14:35:12.947: ISAKMP:(0):Acceptable atts:life: 0

*Dec 6 14:35:12.947: ISAKMP:(0):Fill atts in sa vpi_length:4

*Dec 6 14:35:12.947: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483

*Dec 6 14:35:12.947: ISAKMP:(0):Returning Actual lifetime: 180

*Dec 6 14:35:12.947: ISAKMP:(0)::Started lifetime timer: 180.

*Dec 6 14:35:12.947: ISAKMP:(0): processing KE payload. message ID = 0

*Dec 6 14:35:13.019: ISAKMP:(0): processing NONCE payload. message ID = 0

*Dec 6 14:35:13.023: ISAKMP:(1019):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR

*Dec 6 14:35:13.023: ISAKMP (1019): ID payload

next-payload : 10

type : 1

address : 192.168.1.130

protocol : 0

port : 0

length : 12

*Dec 6 14:35:13.023: ISAKMP:(1019):Total payload length: 12

*Dec 6 14:35:13.023: ISAKMP:(1019): sending packet to 212.39.64.67 my_port 500 peer_port 13728 (R) AG_INIT_EXCH

*Dec 6 14:35:13.023: ISAKMP:(1019):Sending an IKE IPv4 Packet.

*Dec 6 14:35:13.023: cTCP: demangling outbound IKE packet: 192.168.1.130:500->500 212.39.64.67:13728->500

*Dec 6 14:35:13.023: cTCP: encapsulating IKE packet

*Dec 6 14:35:13.023: cTCP: updating LOCAL Seq number to 34A69CCF

*Dec 6 14:35:13.023: ISAKMP:(1019):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH

*Dec 6 14:35:13.023: ISAKMP:(1019):Old State = IKE_READY New State = IKE_R_AM2

*Dec 6 14:35:13.039: cTCP: Connection[674025BC] 212.39.64.67:13728 192.168.1.130:443: found

*Dec 6 14:35:13.039: cTCP: updating PEER Seq number to 10033C2

*Dec 6 14:35:13.039: cTCP: Pak with contiguous buffer

*Dec 6 14:35:13.039: cTCP: mangling IKE packet from peer: 212.39.64.67:500->13728 192.168.1.130:500->500

*Dec 6 14:35:13.039: cTCP: sending gratuitous ack

*Dec 6 14:35:13.039: cTCP: Sending (34A69CCF)ACK(10033C3) to 212.39.64.67:13728

*Dec 6 14:35:13.043: ISAKMP (1019): received packet from 212.39.64.67 dport 500 sport 13728 Global (R) AG_INIT_EXCH

*Dec 6 14:35:13.043: ISAKMP:(1019): processing HASH payload. message ID = 0

*Dec 6 14:35:13.043: ISAKMP:(1019):SA authentication status:

authenticated

*Dec 6 14:35:13.043: ISAKMP:(1019):SA has been authenticated with 212.39.64.67

*Dec 6 14:35:13.043: ISAKMP:(1019):Returning Actual lifetime: 180

*Dec 6 14:35:13.043: ISAKMP: set new node -557819266 to CONF_XAUTH

*Dec 6 14:35:13.043: ISAKMP:(1019):Sending NOTIFY RESPONDER_LIFETIME protocol 1

spi 1736728448, message ID = 3737148030

*Dec 6 14:35:13.043: ISAKMP:(1019): sending packet to 212.39.64.67 my_port 500 peer_port 13728 (R) QM_IDLE

*Dec 6 14:35:13.043: ISAKMP:(1019):Sending an IKE IPv4 Packet.

*Dec 6 14:35:13.043: cTCP: demangling outbound IKE packet: 192.168.1.130:500->500 212.39.64.67:13728->500

*Dec 6 14:35:13.043: cTCP: encapsulating IKE packet

*Dec 6 14:35:13.043: cTCP: updating LOCAL Seq number to 34A69D43

*Dec 6 14:35:13.043: ISAKMP:(1019):purging node -557819266

*Dec 6 14:35:13.047: ISAKMP: Sending phase 1 responder lifetime 180

*Dec 6 14:35:13.047: ISAKMP:(1019):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH

*Dec 6 14:35:13.047: ISAKMP:(1019):Old State = IKE_R_AM2 New State = IKE_P1_COMPLETE

*Dec 6 14:35:13.047: ISAKMP:(1019):Need XAUTH

*Dec 6 14:35:13.047: ISAKMP: set new node -558007585 to CONF_XAUTH

*Dec 6 14:35:13.047: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2

*Dec 6 14:35:13.047: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2

*Dec 6 14:35:13.047: ISAKMP:(1019): initiating peer config to 212.39.64.67. ID = 3736959711

*Dec 6 14:35:13.047: ISAKMP:(1019): sending packet to 212.39.64.67 my_port 500 peer_port 13728 (R) CONF_XAUTH

*Dec 6 14:35:13.047: ISAKMP:(1019):Sending an IKE IPv4 Packet.

*Dec 6 14:35:13.047: cTCP: demangling outbound IKE packet: 192.168.1.130:500->500 212.39.64.67:13728->500

*Dec 6 14:35:13.047: cTCP: encapsulating IKE packet

*Dec 6 14:35:13.047: cTCP: updating LOCAL Seq number to 34A69DA7

*Dec 6 14:35:13.047: ISAKMP:(1019):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Dec 6 14:35:13.051: ISAKMP:(1019):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT

*Dec 6 14:35:28.047: ISAKMP:(1019): retransmitting phase 2 CONF_XAUTH -558007585 ...

*Dec 6 14:35:28.047: ISAKMP (1019): incrementing error counter on node, attempt 1 of 5: retransmit phase 2

*Dec 6 14:35:28.047: ISAKMP (1019): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2

*Dec 6 14:35:28.047: ISAKMP:(1019): retransmitting phase 2 -558007585 CONF_XAUTH

*Dec 6 14:35:28.047: ISAKMP:(1019): sending packet to 212.39.64.67 my_port 500 peer_port 13728 (R) CONF_XAUTH

*Dec 6 14:35:28.047: ISAKMP:(1019):Sending an IKE IPv4 Packet.

*Dec 6 14:35:28.047: cTCP: demangling outbound IKE packet: 192.168.1.130:500->500 212.39.64.67:13728->500

*Dec 6 14:35:28.047: cTCP: encapsulating IKE packet

*Dec 6 14:35:28.047: cTCP: updating LOCAL Seq number to 34A69E0B

*Dec 6 14:35:29.059: cTCP: Connection[674025BC] 212.39.64.67:13728 192.168.1.130:443: found

*Dec 6 14:35:29.059: cTCP: updating PEER Seq number to 100342E

*Dec 6 14:35:29.059: cTCP: Pak with contiguous buffer

*Dec 6 14:35:29.059: cTCP: mangling IKE packet from peer: 212.39.64.67:500->13728 192.168.1.130:500->500

*Dec 6 14:35:29.059: ISAKMP (1019): received packet from 212.39.64.67 dport 500 sport 13728 Global (R) CONF_XAUTH

*Dec 6 14:35:29.059: ISAKMP: set new node -150968825 to CONF_XAUTH

*Dec 6 14:35:29.063: ISAKMP:(1019): processing HASH payload. message ID = 4143998471

*Dec 6 14:35:29.063: ISAKMP:received payload type 18

*Dec 6 14:35:29.063: ISAKMP:(1019):Processing delete with reason payload

*Dec 6 14:35:29.063: ISAKMP:(1019):delete doi = 0

*Dec 6 14:35:29.063: ISAKMP:(1019):delete protocol id = 1

*Dec 6 14:35:29.063: ISAKMP:(1019):delete spi_size = 16

*Dec 6 14:35:29.063: ISAKMP:(1019):delete num spis = 1

*Dec 6 14:35:29.063: ISAKMP:(1019):delete_reason = 2

*Dec 6 14:35:29.063: ISAKMP:(1019): processing DELETE_WITH_REASON payload, message ID = 4143998471, reason: DELETE_BY_USER_COMMAND

*Dec 6 14:35:29.063: ISAKMP:(1019):peer does not do paranoid keepalives.

*Dec 6 14:35:29.063: ISAKMP:(1019):deleting SA reason "BY user command" state (R) CONF_XAUTH (peer 212.39.64.67)

*Dec 6 14:35:29.063: ISAKMP:(1019):deleting node -150968825 error FALSE reason "Informational (in) state 1"

*Dec 6 14:35:29.063: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Dec 6 14:35:29.063: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

*Dec 6 14:35:29.063: IPSEC(key_engine_delete_sas): delete all SAs shared with peer 212.39.64.67

*Dec 6 14:35:29.063: IPSEC(delete_sa): deleting SA,

(sa) sa_dest= 192.168.1.130, sa_proto= 50,

sa_spi= 0xB01FC304(2954871556),

sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2017

sa_lifetime(k/sec)= (4453368/86400),

(identity) local= 192.168.1.130:0, remote= 212.39.64.67:0,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 10.10.10.6/255.255.255.255/0/0 (type=1)

*Dec 6 14:35:29.067: IPSEC(update_current_outbound_sa): updated peer 212.39.64.67 current outbound sa to SPI 0

*Dec 6 14:35:29.067: IPSEC(delete_sa): deleting SA,

(sa) sa_dest= 212.39.64.67, sa_proto= 50,

sa_spi= 0x3A900DA4(982519204),

sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2018

sa_lifetime(k/sec)= (4453368/86400),

(identity) local= 192.168.1.130:0, remote= 212.39.64.67:0,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 10.10.10.6/255.255.255.255/0/0 (type=1)

*Dec 6 14:35:29.067: IPSEC(rte_mgr): VPN Route Event Deleting dynamic maps for peer 212.39.64.67

*Dec 6 14:35:29.067: IPSEC(rte_mgr): VPN Route Refcount 0 FastEthernet0/0

*Dec 6 14:35:29.067: IPSEC(rte_mgr): VPN Route Removed 10.10.10.6 255.255.255.255 via 212.39.64.67 in IP DEFAULT TABLE FastEthernet0/0

*Dec 6 14:35:29.067: ISAKMP: set new node 1474349902 to CONF_XAUTH

*Dec 6 14:35:29.067: ISAKMP:(1019): sending packet to 212.39.64.67 my_port 500 peer_port 13728 (R) CONF_XAUTH

*Dec 6 14:35:29.067: ISAKMP:(1019):Sending an IKE IPv4 Packet.

*Dec 6 14:35:29.067: cTCP: demangling outbound IKE packet: 192.168.1.130:500->500 212.39.64.67:13728->500

*Dec 6 14:35:29.071: cTCP: encapsulating IKE packet

*Dec 6 14:35:29.071: cTCP: updating LOCAL Seq number to 34A69E77

*Dec 6 14:35:29.071: ISAKMP:(1019):purging node 1474349902

*Dec 6 14:35:29.071: ISAKMP:(1019):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Dec 6 14:35:29.071: ISAKMP:(1019):Old State = IKE_XAUTH_REQ_SENT New State = IKE_DEST_SA

*Dec 6 14:35:29.071: ISAKMP:(1019):deleting SA reason "BY user command" state (R) CONF_XAUTH (peer 212.39.64.67)

*Dec 6 14:35:29.075: ISAKMP: Unlocking peer struct 0x66DB5ADC for isadb_mark_sa_deleted(), count 1

*Dec 6 14:35:29.075: ISAKMP:(1019):deleting node -558007585 error FALSE reason "IKE deleted"

*Dec 6 14:35:29.075: ISAKMP:(1019):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Dec 6 14:35:29.075: ISAKMP:(1019):Old State = IKE_DEST_SA New State = IKE_DEST_SA

*Dec 6 14:35:48.343: ISAKMP:(1018):peer does not do paranoid keepalives.

*Dec 6 14:35:48.343: ISAKMP:(1018):deleting SA reason "IKE SA Lifetime Exceeded" state (R) QM_IDLE (peer 212.39.64.67)

*Dec 6 14:35:48.343: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Dec 6 14:35:48.343: IPSec: Key engine got a KEY_MGR_CHECK_MORE_SAS message

*Dec 6 14:35:48.343: ISAKMP (1018): IPSec has no more SA's with this peer. Won't keepalive phase 1.

*Dec 6 14:35:48.343: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Dec 6 14:35:48.343: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

*Dec 6 14:35:48.343: IPSEC(key_engine_delete_sas): delete all SAs shared with peer 212.39.64.67

*Dec 6 14:35:48.343: ISAKMP: set new node 663093 to CONF_XAUTH

*Dec 6 14:35:48.343: ISAKMP:(1018): sending packet to 212.39.64.67 my_port 500 peer_port 13728 (R) QM_IDLE

*Dec 6 14:35:48.343: ISAKMP:(1018):Sending an IKE IPv4 Packet.

*Dec 6 14:35:48.343: cTCP: demangling outbound IKE packet: 192.168.1.130:500->500 212.39.64.67:13728->500

*Dec 6 14:35:48.347: cTCP: encapsulating IKE packet

*Dec 6 14:35:48.347: cTCP: updating LOCAL Seq number to 34A69EE3

*Dec 6 14:35:48.347: ISAKMP:(1018):purging node 663093

*Dec 6 14:35:48.347: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Dec 6 14:35:48.347: ISAKMP:(1018):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

*Dec 6 14:35:48.347: ISAKMP:(1018):deleting SA reason "IKE SA Lifetime Exceeded" state (R) QM_IDLE (peer 212.39.64.67)

*Dec 6 14:35:48.347: ISAKMP (1018): returning address 10.10.10.6 to pool

*Dec 6 14:35:48.347: ISAKMP: Unlocking peer struct 0x66DB5ADC for isadb_mark_sa_deleted(), count 0

*Dec 6 14:35:48.347: ISAKMP: returning address 10.10.10.6 to pool

*Dec 6 14:35:48.347: cTCP: Sending (34A69EE3)RST(100342F) to 212.39.64.67:13728

*Dec 6 14:35:48.351: cTCP: Connection[674025BC] 212.39.64.67:13728 192.168.1.130:443: successfully removed

*Dec 6 14:35:48.351: ISAKMP: Deleting peer node by peer_reap for 212.39.64.67: 66DB5ADC

*Dec 6 14:35:48.351: ISAKMP: returning address 10.10.10.6 to pool

*Dec 6 14:35:48.351: ISAKMP:(1018):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Dec 6 14:35:48.351: ISAKMP:(1018):Old State = IKE_DEST_SA New State = IKE_DEST_SA

*Dec 6 14:35:48.351: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Dec 6 14:35:49.355: cTCP: Connection[0] 212.39.64.67:13728 192.168.1.130:443: NOT found

*Dec 6 14:35:49.355: cTCP: Packet [212.39.64.67:13728 192.168.1.130:443:], no existing connection

Cisco#

every time after 15:26 minutes the connection is terminated? Any idea how to fix the problem?