Re: VPN tunnel b/w CheckPoint R62 and Cisco ASA 5510 7.2(4) brea

calterio · ‎07-30-2008

We have a VPN tunnel b/w a CheckPoint and a Cisco ASA. The tunnel is up and working, but almost every day around noon I get the following messages and the tunnel breaks and reforms successfully. Phase 1 is set on both sides at 1440min/86400 seconds; phase 2 is set on both sides to 3600. It sounds like the tunnel is just terminating at the end of the phase 1 lifetime, but people are using the tunnel and report that their sessions break, so I'm confused. Any ideas/help would be appreciated. Thank you.

713041 IP=1.1.1.1, IKE Initiator: Rekeying Phase 1,Intf Internet, IKE Peer 1.1.1.1, local Proxy Address N/A, remote Proxy Address N/A, Crypto map N/A

713903 Group=1.1.1.1, IP=1.1.1.1, Freeing previously allocated memory for authorization-dn-attributes

713119 Group=1.1.1.1, IP=1.1.1.1, PHASE 1 COMPLETED

713122 IP=1.1.1.1, Keep-alives configured on but peer does not support keep-alives (type=None)

713201 Group=1.1.1.1, IP=1.1.1.1, Duplicate phase 1 packet detected. No last packet to retransmit.

ASA Version 7.2(4)

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map Internet_map 1 match address Internet_1_cryptomap

crypto map Internet_map 1 set peer 1.1.1.1

crypto map Internet_map 1 set transform-set ESP-3DES-SHA

crypto map Internet_map 1 set security-association lifetime seconds 3600

crypto map Internet_map interface Internet

crypto isakmp enable Internet

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp am-disable

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key xyz

# sh crypto isakmp sa detail

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 1.1.1.1

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

Encrypt : 3des Hash : SHA

Auth : preshared Lifetime: 86400

Lifetime Remaining: 71300

# sh crypto ipsec sa

interface: Internet

Crypto map tag: Internet_map, seq num: 1, local addr: 22.22.22.22

access-list Internet_1_cryptomap permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0

local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

current_peer: 1.1.1.1

#pkts encaps: 121046, #pkts encrypt: 121046, #pkts digest: 121046

#pkts decaps: 134396, #pkts decrypt: 134396, #pkts verify: 134396

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 121046, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 22.22.22.22, remote crypto endpt.: 1.1.1.1

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 38003399

inbound esp sas:

spi: 0x802A637 (215026177)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 3, crypto-map: Internet_map

sa timing: remaining key lifetime (kB/sec): (4270520/2113)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0x380033 (939538880)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 3, crypto-map: Internet_map

sa timing: remaining key lifetime (kB/sec): (4273260/2112)

IV size: 8 bytes

replay detection support: Y

nobleton3366 · ‎02-19-2009

Were you able to find a solution? I have the same problem between windows 2003 and an ASA. I have noticed that it drops at 75% of the phase1 time. If I set it to 8hrs; it breaks at 6hrs, I set it to 4hrs; it breaks at 3hrs, I set it to 20 minutes and it breaks at 15 minutes. Like clock work.

calterio · ‎02-19-2009

Our problem turned out to be within the Oracle application the users were using, and not with the connection. The database administrators tweaked a timeout parameter, and that resolved the issue.

nobleton3366 · ‎02-19-2009

Really? So the oracle app was causing your VPN to disconnect periodically?

calterio · ‎02-19-2009

Users were reporting their sessions were breaking. I looked at the logs from the ASA and based on the messages (like "PHASE 1 Completed", I was assumed the tunnel was breaking and then reforming, and that's what was causing the session disconnect. Speaking further with the users, I found that some sessions did not get disconnected, but this one Oracle app always did. So I had the user send the screen shot of the error that she received when her session broke. I googled it and found a timeout issue caused by a parameter in a *.ora file. I had the DBA change the parameter to see if it resolved the user's issue, and as far as I know, it did. I don't work that closely with Cisco, so perhaps the messages I thought indicated a break in the tunnel actually were just normal messages. I just know the user is no longer complaining of session disruptions. Good luck ... I hope you find an answer to your issue.

wharrison2000 · ‎02-20-2009

Recently we found a problem with windows 2003 that it did not do DPD or something like that. Anyway we hacked the registery and it works fine now. I will review and post details shortly

Bill

VPN tunnel b/w CheckPoint R62 and Cisco ASA 5510 7.2(4) breaking