07-30-2008 12:04 PM
We have a VPN tunnel b/w a CheckPoint and a Cisco ASA. The tunnel is up and working, but almost every day around noon I get the following messages and the tunnel breaks and reforms successfully. Phase 1 is set on both sides at 1440min/86400 seconds; phase 2 is set on both sides to 3600. It sounds like the tunnel is just terminating at the end of the phase 1 lifetime, but people are using the tunnel and report that their sessions break, so I'm confused. Any ideas/help would be appreciated. Thank you.
713041 IP=1.1.1.1, IKE Initiator: Rekeying Phase 1,Intf Internet, IKE Peer 1.1.1.1, local Proxy Address N/A, remote Proxy Address N/A, Crypto map N/A
713903 Group=1.1.1.1, IP=1.1.1.1, Freeing previously allocated memory for authorization-dn-attributes
713119 Group=1.1.1.1, IP=1.1.1.1, PHASE 1 COMPLETED
713122 IP=1.1.1.1, Keep-alives configured on but peer does not support keep-alives (type=None)
713201 Group=1.1.1.1, IP=1.1.1.1, Duplicate phase 1 packet detected. No last packet to retransmit.
713201 Group=1.1.1.1, IP=1.1.1.1, Duplicate phase 1 packet detected. No last packet to retransmit.
ASA Version 7.2(4)
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Internet_map 1 match address Internet_1_cryptomap
crypto map Internet_map 1 set peer 1.1.1.1
crypto map Internet_map 1 set transform-set ESP-3DES-SHA
crypto map Internet_map 1 set security-association lifetime seconds 3600
crypto map Internet_map interface Internet
crypto isakmp enable Internet
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp am-disable
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key xyz
# sh crypto isakmp sa detail
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.1.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : 3des Hash : SHA
Auth : preshared Lifetime: 86400
Lifetime Remaining: 71300
# sh crypto ipsec sa
interface: Internet
Crypto map tag: Internet_map, seq num: 1, local addr: 22.22.22.22
access-list Internet_1_cryptomap permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 121046, #pkts encrypt: 121046, #pkts digest: 121046
#pkts decaps: 134396, #pkts decrypt: 134396, #pkts verify: 134396
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 121046, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 22.22.22.22, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 38003399
inbound esp sas:
spi: 0x802A637 (215026177)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 3, crypto-map: Internet_map
sa timing: remaining key lifetime (kB/sec): (4270520/2113)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x380033 (939538880)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 3, crypto-map: Internet_map
sa timing: remaining key lifetime (kB/sec): (4273260/2112)
IV size: 8 bytes
replay detection support: Y
02-19-2009 11:04 AM
Were you able to find a solution? I have the same problem between windows 2003 and an ASA. I have noticed that it drops at 75% of the phase1 time. If I set it to 8hrs; it breaks at 6hrs, I set it to 4hrs; it breaks at 3hrs, I set it to 20 minutes and it breaks at 15 minutes. Like clock work.
02-19-2009 11:15 AM
Our problem turned out to be within the Oracle application the users were using, and not with the connection. The database administrators tweaked a timeout parameter, and that resolved the issue.
02-19-2009 11:21 AM
Really? So the oracle app was causing your VPN to disconnect periodically?
02-19-2009 11:51 AM
Users were reporting their sessions were breaking. I looked at the logs from the ASA and based on the messages (like "PHASE 1 Completed", I was assumed the tunnel was breaking and then reforming, and that's what was causing the session disconnect. Speaking further with the users, I found that some sessions did not get disconnected, but this one Oracle app always did. So I had the user send the screen shot of the error that she received when her session broke. I googled it and found a timeout issue caused by a parameter in a *.ora file. I had the DBA change the parameter to see if it resolved the user's issue, and as far as I know, it did. I don't work that closely with Cisco, so perhaps the messages I thought indicated a break in the tunnel actually were just normal messages. I just know the user is no longer complaining of session disruptions. Good luck ... I hope you find an answer to your issue.
02-20-2009 11:04 AM
Recently we found a problem with windows 2003 that it did not do DPD or something like that. Anyway we hacked the registery and it works fine now. I will review and post details shortly
Bill
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: