Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Concentrator disconnected every 7:36:32

Hi experts, I found my L2L setting which configuration between VPN concentrator and Pix will disconnect every 7:36:32, I have searched on Internet and find some users already have the same problem but don't have an possible answer, do any expert know what is the reason for this?

Concentrator log:

1301 06/17/2009 22:55:57.570 SEV=4 IKE/41 RPT=609 <peer ip address>

Group [<peer ip address>]

IKE Initiator: Rekeying Phase 2, Intf 2, IKE Peer <peer ip address>

local Proxy Address x.x.x.x, remote Proxy Address x.x.x.x,

SA (L2L: L2L_TEST)

1327 06/17/2009 22:56:29.570 SEV=4 IKEDBG/97 RPT=59 <peer ip address>

Group [<peer ip address>]

QM FSM error (P2 struct &0x1dc856a4, mess id 0x11ca1925)!

1328 06/17/2009 22:56:29.570 SEV=4 AUTH/23 RPT=42 <peer ip address>

User [<peer ip address>] Group [<peer ip address>] disconnected: duration: 7:36:32

1329 06/17/2009 22:56:29.570 SEV=4 AUTH/85 RPT=42

LAN-to-LAN tunnel to headend device <peer ip address> disconnected: duration: 7:36:32

- Is the problem related to Phase 2 rekeying? I have already set the Phase 2 key lifetime to 28800(8 hours), if it is related to Phase 2 rekey, why it disconnected every 7:36:32, not 8 hours?

- Also, is it related to the phase 2 proposal not match between the two device?

Please help...

3 REPLIES
Cisco Employee

Re: VPN Concentrator disconnected every 7:36:32

It could be P2 rekey. Make sure PFS is either disabled or enabled on both devices.

New Member

Re: VPN Concentrator disconnected every 7:36:32

Hi Auraza, I've checked both devices and found PFS is disabled for them. Any other possible reason? Is it related to Phase 2 SA proposal problem?

Cisco Employee

Re: VPN Concentrator disconnected every 7:36:32

Not sure if it is related to SA proposal or what, but if you did initially connect, then it doesn't sound like a Phase 2 problem, but we'll have to see debugs to see what is going on.

General -> Events -> Classes:

enable IKE, IKEDBG, IPSEC, IPSECDBG to log for sev 1-9.

Once this happens again, copy the logs and post them here, with the time that it happened. That should give a better idea.

139
Views
0
Helpful
3
Replies