I am trying to get a sustained Lan-to-Lan tunnel between a Linux router running Freeswan & a 3030 concentrator. The tunnel stays up OK for a while but I have noticed that when the IKE timeout comes up & the key renegotiation occurs the 3030 logs a few "Simultaneous logins exceeded for user" messages. I find this a bit odd for a Lan-to-Lan connection. Unfortunatly I don't have access to the 3030 as it is managed by an external party. They recently upgraded it to the latest code.
I do know that the Freeswan does appear to try & create a new IPSec tunnel at renegotiation time before tearing down the old. There is very little configurable at the Linux end, and due to the nature of the customer connection they have very few options there. Does anyone have any suggestions on things to try or places to look?
Your problem seems to be the same as CSCdx80492 'Simultaneous logins exceeded error misleading during external auth'. It could be a cosmetic error only. If things are working fine, you could disregard this message.
I couldn't locate your referance, but it does appear to be working well now. Part of the problem appeared to also relate to the IKE re-key interval. Freeswan seems to get unstable at anything less than 30 minutes. Setting the interval to 1 hour made a great improvement.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...