Hey everyone, I have an interesting issue with a dynamic to static VPN setup. I currently run a pair of Cisco Pix 515e firewalls in a failover setup. They are running OS 8.0.4 and they run great. I used to have a VPN between these and my office where the remote office had a static IP address. I am moving that to a new connection which uses dynamic IP addresses.
I setup a pre-shared key on the DefaultL2LGroup on the Pix and removed the existing static tunnel-group. I also reconfigured the remote firewall which is a Netgear firewall to connect to the Pix. It is still using main mode and the rest of the setup is pretty much the same.
The VPN connection establishes fine and I can pass traffic through it with no issues. The problem is that every 3 minutes and 50 seconds, the VPN will go down for a few seconds. It looks like it rekeys. My stuff will stop responding and then it will re-establish and it is fine. It happens every 3 minutes and 50 seconds like clockwork.
I have checked everything I could think of and am not sure where the issue is. I know I can do detailed debugs on the IPSec but am not sure what I should be looking there. The basic debug just givs the generic message below that says the tunnel can't communicate with the peer. I have seen that message before but not usually with a VPN that establishes. Generally if this message comes up, the tunnel never works.
Any ideas would be great.
Group = DefaultL2LGroup, IP = X.X.X.X, Removing peer from peer table failed, no match!
Group = DefaultL2LGroup, IP = X.X.X.X, Error: Unable to remove PeerTblEntry
I did more testing and it seems that the tunnel sites at the MM_ACTIVE state and doesn't go past that. The information is the same on both ends of the tunnel and traffic passes fine when at this state but then it rekeys after about 4 minutes and starts again.
I tried changing the tunnel to an Aggresive Mode tunnel but using a name for the remote office firewall ID and now it sits at AM_ACTIVE but doesn't go past that point either.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...