We recently replaced a faulty PIX 506 and now using the same config, a remote site periodically disconnects. The connect will come back typically about 20 - 30 seconds later. The connection functions normally until the
ISAKMP (0): processing DELETE payload.
shown in the ISAKMP debug below. Normal communication seems to pick back up at the point where it again begins ISAKMP (0): processing NOTIFY payload 36136
Here is the portion of the debug during the disconnect.
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 3827333845
ISAMKP (0): received DPD_R_U_THERE from peer 74.218.100.66
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_bloc
k:src:74.2
18.100.66,
dest:165.236.142.230 spt:500 dpt:
500
ISAKMP (0): processing DELETE payload. message ID = 3558776878, spi size = 4
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0xfe549c, conn_id = 0
crypto_isakmp_process_bloc
k:src:74.2
18.100.66,
dest:165.236.142.230 spt:500 dpt:
500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: default group 1
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc
k:src:74.2
18.100.66,
dest:165.236.142.230 spt:500 dpt:
500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): received xauth v6 vendor id
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to another IOS box!
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to a VPN3000 concentrator
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc
k:src:74.2
18.100.66,
dest:165.236.142.230 spt:500 dpt:
500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): SA has been authenticated
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc
k:src:74.2
18.100.66,
dest:165.236.142.230 spt:500 dpt:
500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 368196185
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: encaps is 1
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 2
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: encaps is 1
ISAKMP: authenticator is HMAC-SHA
ISAKMP: key length is 256
ISAKMP (0): atts are acceptable.
ISAKMP (0): processing NONCE payload. message ID = 368196185
ISAKMP (0): processing ID payload. message ID = 368196185
ISAKMP (0): ID_IPV4_ADDR src 192.168.1.63 prot 0 port 0
ISAKMP (0): processing ID payload. message ID = 368196185
ISAKMP (0): ID_IPV4_ADDR dst 192.0.0.25 prot 0 port 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 368196185
ISAKMP (0): processing notify INITIAL_CONTACT
VPN Peer: IPSEC: Peer ip:74.218.100.66/500 Decrementing Ref cnt to:5 Total VPN P
eers:1
VPN Peer: IPSEC: Peer ip:74.218.100.66/500 Decrementing Ref cnt to:4 Total VPN P
eers:1
VPN Peer: IPSEC: Peer ip:74.218.100.66/500 Decrementing Ref cnt to:3 Total VPN P
eers:1
VPN Peer: IPSEC: Peer ip:74.218.100.66/500 Decrementing Ref cnt to:2 Total VPN P
eers:1
ISAKMP (0): deleting SA: src 74.218.100.66, dst 165.236.142.230
ISADB: reaper checking SA 0xfe549c, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:74.218.100.66/500 Ref cnt decremented to:1 Total VPN P
eers:1
ISADB: reaper checking SA 0xdfaf24, conn_id = 0
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc
k:src:74.2
18.100.66,
dest:165.236.142.230 spt:500 dpt:
500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_AUTH_AWAIT
ISAKMP (0): Creating IPSec SAs
inbound SA from 74.218.100.66 to 165.236.142.230 (proxy 192.168.1.6
3 to 192.0.0.25)
has spi 2112170515 and conn_id 5 and flags 4
lifetime of 28800 seconds
lifetime of 4608000 kilobytes
outbound SA from 165.236.142.230 to 74.218.100.66 (proxy 192.0.0.
25 to 192.168.1.63)
has spi 3828701785 and conn_id 6 and flags 4
lifetime of 28800 seconds
lifetime of 4608000 kilobytes
VPN Peer: IPSEC: Peer ip:74.218.100.66/500 Ref cnt incremented to:2 Total VPN Pe
ers:1
VPN Peer: IPSEC: Peer ip:74.218.100.66/500 Ref cnt incremented to:3 Total VPN Pe
ers:1
return status is IKMP_NO_ERROR
ISADB: reaper checking SA 0xdfaf24, conn_id = 0
crypto_isakmp_process_bloc
k:src:74.2
18.100.66,
dest:165.236.142.230 spt:500 dpt:
500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 607275765
ISAMKP (0): received DPD_R_U_THERE from peer 74.218.100.66
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_bloc
k:src:74.2
18.100.66,
dest:165.236.142.230 spt:500 dpt:
500
Appreciate any input!
Start Free Trial
