11-17-2013 04:10 PM - edited 03-04-2019 09:36 PM
Hi Guys,
I have a Juniper SSg350 workign as a Ipsec site to site VPN hub. I have multiple SSG20 and SRX110's out at remote sites which connect to the VPN and all are working well.
recently I deployed two Ciscos, one 877 and one 878 and connected to the Juniper. Both connected fine, however they disconnect frequenrttly - and I'm tlaking probably 50-100 time a a day!
I don't see any real error messages, it looks to be totally normal tear down and rebuild process but I can't get them stable.
One thign to note that i saw when debuging crypto ipsec errors was this:
Nov 18 12:53:02: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Nov 18 12:53:12: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Nov 18 12:53:22: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Nov 18 12:53:32: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
which inidcates that the ACl is wrong, so I would usually just have th eone line in my acl, so I added the second so both the Juniper and cisco have two extact matches lines in the policies (Juniper does both directions by default)
Cisco config:
crypto isakmp policy 15
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key *** address ***
!
!
crypto ipsec transform-set aes-sha esp-aes esp-md5-hmac
!
crypto map *** 11 ipsec-isakmp
set peer ***
set transform-set aes-sha
set pfs group2
match address IF-encrypt
!
interface Vlan1
ip address 192.168.83.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer0
ip unnumbered Loopback0
ip mtu 1492
ip virtual-reassembly max-reassemblies 1024
crypto map ***
!
ip nat inside source list 105 interface Loopback0 overload
!
ip access-list extended IF-encrypt
permit ip 192.168.0.0 0.0.0.255 192.168.83.0 0.0.0.255
permit ip 192.168.83.0 0.0.0.255 192.168.0.0 0.0.0.255
!
access-list 105 permit ip 192.168.83.0 0.0.0.255 any
---------
I can provide the Juniper config if requirted.
here is the debug from the Cisco:
Nov 18 11:44:32: ISAKMP (2013): received packet from *** dport 500 sport 500 Global (R) QM_IDLE
Nov 18 11:44:32: ISAKMP: set new node 16342192 to QM_IDLE
Nov 18 11:44:32: ISAKMP:(2013): processing HASH payload. message ID = 16342192
Nov 18 11:44:32: ISAKMP:(2013): processing DELETE payload. message ID = 16342192
Nov 18 11:44:32: ISAKMP:(2013):peer does not do paranoid keepalives.
Nov 18 11:44:32: ISAKMP:(2013):deleting node 16342192 error FALSE reason "Informational (in) state 1"
Nov 18 11:44:33: ISAKMP (2013): received packet from 203.167.141.70 dport 500 sport 500 Global (R) QM_IDLE
Nov 18 11:44:33: ISAKMP: set new node 1271687011 to QM_IDLE
Nov 18 11:44:33: ISAKMP:(2013): processing HASH payload. message ID = 1271687011
Nov 18 11:44:33: ISAKMP:(2013): processing SA payload. message ID = 1271687011
Nov 18 11:44:33: ISAKMP:(2013):Checking IPSec proposal 1
Nov 18 11:44:33: ISAKMP: transform 1, ESP_AES
Nov 18 11:44:33: ISAKMP: attributes in transform:
Nov 18 11:44:33: ISAKMP: SA life type in seconds
Nov 18 11:44:33: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
Nov 18 11:44:33: ISAKMP: encaps is 1 (Tunnel)
Nov 18 11:44:33: ISAKMP: authenticator is HMAC-MD5
Nov 18 11:44:33: ISAKMP: group is 2
Nov 18 11:44:33: ISAKMP: key length is 128
Nov 18 11:44:33: ISAKMP:(2013):atts are acceptable.
Nov 18 11:44:33: ISAKMP:(2013): processing NONCE payload. message ID = 1271687011
Nov 18 11:44:33: ISAKMP:(2013): processing KE payload. message ID = 1271687011
Nov 18 11:44:33: ISAKMP:(2013): processing ID payload. message ID = 1271687011
Nov 18 11:44:33: ISAKMP:(2013): processing ID payload. message ID = 1271687011
Nov 18 11:44:33: ISAKMP:(2013):QM Responder gets spi
Nov 18 11:44:33: ISAKMP:(2013):Node 1271687011, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Nov 18 11:44:33: ISAKMP:(2013):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
Nov 18 11:44:33: ISAKMP:(2013):Node 1271687011, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
Nov 18 11:44:33: ISAKMP:(2013):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT
Nov 18 11:44:33: ISAKMP: Failed to find peer index node to update peer_info_list
Nov 18 11:44:33: ISAKMP:(2013):Received IPSec Install callback... proceeding with the negotiation
Nov 18 11:44:33: ISAKMP:(2013): sending packet to *** my_port 500 peer_port 500 (R) QM_IDLE
Nov 18 11:44:33: ISAKMP:(2013):Sending an IKE IPv4 Packet.
Nov 18 11:44:33: ISAKMP:(2013):Node 1271687011, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
Nov 18 11:44:33: ISAKMP:(2013):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2
Nov 18 11:44:33: ISAKMP (2013): received packet from *** dport 500 sport 500 Global (R) QM_IDLE
Nov 18 11:44:33: ISAKMP:(2013):deleting node 1271687011 error FALSE reason "QM done (await)"
Nov 18 11:44:33: ISAKMP:(2013):Node 1271687011, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Nov 18 11:44:33: ISAKMP:(2013):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
Nov 18 11:45:22: ISAKMP:(2013):purging node 16342192
Nov 18 11:45:23: ISAKMP:(2013):purging node 1271687011
**********************************************************
and debug from the Juniper:
## 2013-11-18 12:09:31 : IKE<ip-add> clear auto sa sent: 15
## 2013-11-18 12:09:31 : IKE<ip-add> clear sa recv: 15
## 2013-11-18 12:09:31 : IKE<ip-add> deactive p2 sa 15 send_delete 1
## 2013-11-18 12:09:31 : IKE<ip-add> Send IPSEC delete for sa 15, mode 1
## 2013-11-18 12:09:31 : IKE<ip-add> isadb_get_entry_by_peer_and_local_if_port_p2sa isadb get entry by peer/local ip and port
## 2013-11-18 12:09:31 : IKE<ip-add> sending phase 2 (SA15) delete to <ip ip-add> spi<45bcedb1>
## 2013-11-18 12:09:31 : IKE<ip-add> Create conn entry...
## 2013-11-18 12:09:31 : IKE<ip-add> ...done(new ca265422)
## 2013-11-18 12:09:31 : IKE<ip-add> Construct ISAKMP header.
## 2013-11-18 12:09:31 : IKE<ip-add> Msg header built (next payload #8)
## 2013-11-18 12:09:31 : IKE<ip-add> Construct [HASH]
## 2013-11-18 12:09:31 : IKE<ip-add> construct QM HASH
## 2013-11-18 12:09:31 : IKE<ip-add> P2 message header:
## 2013-11-18 12:09:31 : IKE<ip-add > Xmit*: [HASH] [DELETE]
## 2013-11-18 12:09:31 : IKE<ip-add> Encrypt P2 payload (len 68)
## 2013-11-18 12:09:31 : IKE<ip-add > clear p2 pkt dump:
## 2013-11-18 12:09:31 : IKE<ip-add > iv:
## 2013-11-18 12:09:31 : IKE<ip-add > new iv:
## 2013-11-18 12:09:31 : IKE<ip-add> Initiator sending IPv4 IP ip-add/port 500
## 2013-11-18 12:09:31 : IKE<ip-add> Send Phase 2 packet (len=76)
## 2013-11-18 12:09:31 : IKE<ip-add> ipsec delete packet sent, type=3, spi=45bcedb1
## 2013-11-18 12:09:31 : IKE<ip-add> Delete conn entry...
## 2013-11-18 12:16:43 : IKE<ip-add> Phase 2 msg-id <26c6f99c>: Received responder lifetime notification.(0 sec/4608000 Kb)
## 2013-11-18 12:16:43 : IKE<ip-add> Phase 2 msg-id <26c6f99c>: Completed Quick Mode negotiation with SPI <45bcedbb>, tunnel ID <27>, and lifetime <3600> seconds/<4194303> KB.
-----------------------
show ipsec:
interface: Dialer0
Crypto map tag: ipsec, local addr ip-add
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.83.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer ip add port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 26, #pkts encrypt: 26, #pkts digest: 26
#pkts decaps: 89, #pkts decrypt: 89, #pkts verify: 89
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 104
local crypto endpt.: ipadd, remote crypto endpt.: ipadd
path mtu 1492, ip mtu 1492, ip mtu idb Dialer0
current outbound spi: 0x45BCEDE7(1170009575)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0x4C3F6F5B(1279225691)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 751, flow_id: Onboard VPN:751, sibling_flags 80000046, crypto map: ipsec-corks
sa timing: remaining key lifetime (k/sec): (4549312/3494)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x45BCEDE7(1170009575)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 752, flow_id: Onboard VPN:752, sibling_flags 80000046, crypto map: ipsec-corks
sa timing: remaining key lifetime (k/sec): (4549314/3494)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
Any ideas would be greatly appreciated!!
11-17-2013 07:14 PM
Do you need PFS for the Juniper? Have you tried without PFS?
Sent from Cisco Technical Support iPad App
11-18-2013 02:19 PM
Well it was enable don both the Juniper and the Cisoc. I have disabled it on both sides now. Will see if it makes any difference!
11-18-2013 04:18 PM
Nope didnt make a difference, 11 disconnects in just over an hour
11-19-2013 02:46 AM
Can you put an ISAKMP keepalive and/or IP SLA so tunnel is always up.
Sent from Cisco Technical Support iPhone App
11-19-2013 05:50 PM
I enabled DPD on both the Juniper and the Cisco.
I am seeing this in the debugs now, does it look correct?
Nov 20 14:47:07: ISAKMP:(2027):purging node -797132523
Nov 20 14:47:15: ISAKMP: set new node 1984029109 to QM_IDLE
Nov 20 14:47:15: ISAKMP:(2027):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 249726800, message ID = 1984029109
Nov 20 14:47:15: ISAKMP:(2027): seq. no 0x1A1FA2E4
Nov 20 14:47:15: ISAKMP:(2027): sending packet to IPADD my_port 500 peer_port 500 (I) QM_IDLE
Nov 20 14:47:15: ISAKMP:(2027):Sending an IKE IPv4 Packet.
Nov 20 14:47:15: ISAKMP:(2027):purging node 1984029109
Nov 20 14:47:15: ISAKMP:(2027):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
Nov 20 14:47:15: ISAKMP:(2027):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Nov 20 14:47:15: ISAKMP (2027): received packet from IPADD dport 500 sport 500 Global (I) QM_IDLE
Nov 20 14:47:15: ISAKMP: set new node -438422623 to QM_IDLE
Nov 20 14:47:15: ISAKMP:(2027): processing HASH payload. message ID = 3856544673
Nov 20 14:47:15: ISAKMP:(2027): processing NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 0, message ID = 3856544673, sa = 0x10BBC60
Nov 20 14:47:15: ISAKMP:(2027): DPD/R_U_THERE_ACK received from peer IPADD, sequence 0x1A1FA2E4
Nov 20 14:47:15: ISAKMP:(2027):deleting node -438422623 error FALSE reason "Informational (in) state 1"
Nov 20 14:47:15: ISAKMP:(2027):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Nov 20 14:47:15: ISAKMP:(2027):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Ill let it run for a couple of hours and report back if it stays connected now
11-19-2013 06:44 PM
Ok even with DPD/keepalives on I still got 2 disconnections within 20 minutes.. from 2 different sites.
I would prefer not to use an |IP SLA, because the isakmp keealive udps should be enough in themselves to keep the tunnel interested.
anyone else got a similair setup working that could share config? I have run out of ideas.
11-25-2013 03:47 PM
ok for anyone else having this issue, I solved it by disabling "VPN Monitor" on the Juniper. VPN monitor will send ICMP when there is no user data on the VPN. If a ping is not replied to the tunnel is terminated. I could have kept this feature enabled and set the correct source interfaces which would probably have worked however having DPD seemed enough for me. Haven't had a drop in 48 hours
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide