Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IKE Initiator Rekeying Phase 2 Problems

Hi to all,

I have problems with one VPN site to site. The problem is the follow:

5 Nov 23 2010 08:28:47 713041 Group = X.X.X.X, IP = X.X.X.X, IKE Initiator: Rekeying Phase 2, Intf outside, IKE Peer X.X.X.X  local Proxy Address [LAN], remote Proxy Address [LAN],  Crypto map (outside_map)

6 Nov 23 2010 08:29:17 602304 IPSEC: An inbound LAN-to-LAN SA (SPI= 0x6C271CC8) between Y.Y.Y.Y and X.X.X.X (user= X.X.X.X) has been deleted.

6 Nov 23 2010 08:29:17 602304 IPSEC: An outbound LAN-to-LAN SA (SPI= 0xA59BE8CD) between Y.Y.Y.Y and X.X.X.X (user= X.X.X.X) has been deleted.

3 Nov 23 2010 08:29:19 713902 Group = X.X.X.X, IP = X.X.X.X, QM FSM error (P2 struct &0x62ab4f0, mess id 0x4cf32811)!

1 Nov 23 2010 08:29:19 713900 Group = X.X.X.X, IP = X.X.X.X, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

4 Nov 23 2010 08:29:19 113019 Group = X.X.X.X, Username = X.X.X.X, IP = X.X.X.X, Session disconnected. Session Type: IPsec, Duration: 0h:51m:32s, Bytes xmt: 60486, Bytes rcv: 70509, Reason: Phase 2 Error

5 Nov 23 2010 08:37:29 713904 IP = X.X.X.X, Received encrypted packet with no matching SA, dropping

5 Nov 23 2010 08:37:31 713904 IP = X.X.X.X, Received encrypted packet with no matching SA, dropping

5 Nov 23 2010 08:37:34 713904 IP = X.X.X.X, Received encrypted packet with no matching SA, dropping

5 Nov 23 2010 08:37:39 713904 IP = X.X.X.X, Received encrypted packet with no matching SA, dropping

5 Nov 23 2010 08:37:47 713904 IP = X.X.X.X, Received encrypted packet with no matching SA, dropping

5 Nov 23 2010 08:37:48 713904 IP = X.X.X.X, Received encrypted packet with no matching SA, dropping

5 Nov 23 2010 08:37:59 713904 IP = X.X.X.X, Received encrypted packet with no matching SA, dropping

4 Nov 23 2010 08:38:00 713903 Group = X.X.X.X, IP = X.X.X.X, Freeing previously allocated memory for authorization-dn-attributes

6 Nov 23 2010 08:38:00 113009 AAA retrieved default group policy (DfltGrpPolicy) for user = X.X.X.X

5 Nov 23 2010 08:38:00 713119 Group = X.X.X.X, IP = X.X.X.X, PHASE 1 COMPLETED

3 Nov 23 2010 08:38:00 713122 IP = X.X.X.X, Keep-alives configured on but peer does not support keep-alives (type = None)

5 Nov 23 2010 08:38:00 713049 Group = X.X.X.X, IP = X.X.X.X, Security negotiation complete for LAN-to-LAN Group (X.X.X.X)  Responder, Inbound SPI = 0x7302c7aa, Outbound SPI = 0x804d8c31

6 Nov 23 2010 08:38:00 602303 IPSEC: An outbound LAN-to-LAN SA (SPI= 0x804D8C31) between Y.Y.Y.Y and X.X.X.X (user= X.X.X.X) has been created.

6 Nov 23 2010 08:38:00 602303 IPSEC: An inbound LAN-to-LAN SA (SPI= 0x7302C7AA) between Y.Y.Y.Y and X.X.X.X (user= X.X.X.X) has been created.

5 Nov 23 2010 08:38:00 713120 Group = X.X.X.X, IP = X.X.X.X, PHASE 2 COMPLETED (msgid=590161c5)

This behaviour is ciclic. The tunnel is established and traffic flow normally but after 50 minutes (when the rekeying begin) the tunnel goes down.

I guess the problem is that I mark in bold. I don't understand why both SPI are deleted just after begin the rekeying phase 2.

The config is the follow:

access-list outside_1_cryptomap extended permit ip lan lan-mask remote-lan remote-lan-mask

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 194.224.219.114

crypto map outside_map 1 set transform-set ESP-AES-192-SHA

crypto map outside_map 1 set security-association lifetime seconds 28800

crypto map outside_map 1 set security-association lifetime kilobytes 4608000

crypto map outside_map 1 set nat-t-disable

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 30

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

tunnel-group X.X.X.X type ipsec-l2l

tunnel-group X.X.X.X ipsec-attributes

pre-shared-key

Thank you in advance for your help

2 REPLIES

Re: IKE Initiator Rekeying Phase 2 Problems

Hi,

The other side of the tunnel is a cisco device?

If not, you can try disabling PFS and make sure the lifetimes are set to the same values on both ends to see if the error persists.

Federico.

New Member

Re: IKE Initiator Rekeying Phase 2 Problems

Hi,

The other device is not a cisco device, is a Palo Alto 2050.

I've tried to disable pfs but the problem is the same.

Some news ideas?

Thanks for your help

1933
Views
0
Helpful
2
Replies
CreatePlease login to create content