Solved

Our VPN tunnel gets disconnected every 70 minutes

Posted on 2008-06-19
9
1,998 Views
Last Modified: 2013-11-16
For the past four years, we have had a successful VPN tunnel that goes coast to coast via a Sonic Wall and Cisco Pix (model ???). We're looking for assistance with a problem that crept up last week after Comcast installed a new modem (do not know the old or new model #). Shortly after the new modem was installed, we would get VPN drops every 20mins - 1 hour but never the internet.

Comcast has adjusted all settings on the new modem to the exact of the old modem (as far as I'm told). After one week of this problem, we decided to purchase a Watchguard X20e-W (for more reasons than this VPN drop). Hoping that the problem would magically disappear, we installed it with the same VPN configurations as best as we knew (matching those of the remote Cisco Pix device).

Now, we can set our watch to when the VPN tunnel goes down. Every 70minutes, we'll get a VPN brown out. If we click the "regenerate IPSec key" the VPN comes right back. (eg. If we get a brown out at 9:00am but do not regenerate until 9:12am, we'll still get another brown out at 10:10am). Based on the example, I'm thinking the problem exists outside of our network but do not know where to look.

Where is the problem? Comcast network - blocking critical heartbeat traffic? Remote VPN end point?
0
Comment
Question by:isdpcman
  • 5
  • 4
9 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 21830112
I think the problem is due to key-renegotiation or timout value; let me explain.

When we create VPN tunnel then we have time-out values for Phase I and phase II so keys are re-negotiated for security reasons; many a times it is observed that this re-negotiation fails bringing the tunnel down.
Workaround: Configure keys not to expire at all; cnofigure 0 for data and time timeout values on WG [not sure if Edge models allow setting 0; bigger models do allow setting 0]; have no idea on Cisco.

Other problem which is seen if there is no traffic flowing over a connection for a considerable time then the device would kill the connection; this would cause the tunnel to break. The network device can be modem, router or switch on ISP network.
Workaround: Configure WG for sending keep-alives; or from one end of the tunnel initiate ping with -t to the other end; this would ensure that there is traffic always on the wire; you can adjust the rate at which ping is sent so not to clog the link.
However, there is one problem, if the key expiration is happening on bytes transmitted then this would trigger the keys to re-negotiate faster.

Please see if you get any logs in cisco or WG when the VPN tunnel is disruped this would give a better idea as to what is happening.

Please check and update.

Thank you.
0
 

Accepted Solution

by:
isdpcman earned 0 total points
ID: 21831875
Thanks for the help. I'm really in a pinch now so your input is invaluable.

Here are the settings I have in Watchguard Edge X20e-W based on our VPN network administrator:

shared key: <duh>

Phase 1 Settings:
----------------------------
Mode: Main Mode
Local ID: our local public IP address
Type: IP Address
Remote Gateway configuration
      Remote Gateway IP: remote public IP address
      Remote ID: remote public IP address
      Type: IP Address
Ahentication Algorithm: MD5
Encryption Algorithm: DES
Negotiation Expires: 0 kb
Negotiation Expires: 24 hrs
Diffie Helman Group: 2    -------> please read note below
Send IKE Keep alive messages: checked
Keep alive interval: 60 seconds

Phase 2 Settings:
----------------------------
Authentication Algorithm: MD5
Encryption Algorithm: DES
Enable TOS for IPSEC: unchecked
Enable Perfect Forward Secrecy: unchecked
Remote Peer info
      Local Network: 172.17.41.0/24
      Remote Network: 172.31.3.100/32


After reading the expert exchange forums, I figured I'd try changing the Diffie Helman Group from 1 to 2 the VPN stayed running like a charm for about 10 hours without a hitch. Then at 5:57am, the VPN tunnel began failing again. While getting the configuration info for above, I noticed that the DHG reverted back to 1. I'll have to monitor this to see if it's "magically" changing or if I have too many cooks in the kitchen.

I'll send the log file info over shortly.
0
 

Author Comment

by:isdpcman
ID: 21832178
The following is a typical LOG while the VPN is in good working order.
----------------------------------------------
2008-06-20 03:44:11      Local0.Debug      172.17.41.254      Jun 20 03:44:12 edge_atsnh 72750356F867a (Jun 20 03:44:12) iked iked_idle_loop: sending ping request to host 172.31.3.100 from 172.17.41.254
2008-06-20 03:44:11      Local0.Debug      172.17.41.254      Jun 20 03:44:12 edge_atsnh 72750356F867a (Jun 20 03:44:12) iked ping reply received from 172.31.3.100
2008-06-20 03:44:20      Local0.Warning      172.17.41.254      Jun 20 03:44:20 edge_atsnh 72750356F867a (Jun 20 03:44:20) kernel deny in eth0 36 igmp 24 1 73.166.208.1 224.0.0.1  (default)
2008-06-20 03:44:23      Local0.Warning      172.17.41.254      Jun 20 03:44:23 edge_atsnh 72750356F867a (Jun 20 03:44:23) kernel deny in eth0 128 udp 20 41 66.203.95.202 24.147.113.85 500 500  (default)
2008-06-20 03:44:23      Local0.Warning      172.17.41.254      Jun 20 03:44:24 edge_atsnh 72750356F867a (Jun 20 03:44:24) kernel deny in eth0 328 udp 20 255 73.166.208.1 255.255.255.255 67 68  (broadcast)
2008-06-20 03:44:28      Local0.Warning      172.17.41.254      Jun 20 03:44:28 edge_atsnh 72750356F867a (Jun 20 03:44:28) kernel deny in eth0 128 udp 20 41 66.203.95.202 24.147.113.85 500 500  (default)
2008-06-20 03:44:39      Local0.Warning      172.17.41.254      Jun 20 03:44:39 edge_atsnh 72750356F867a (Jun 20 03:44:39) kernel deny in eth0 128 udp 20 41 66.203.95.202 24.147.113.85 500 500  (default)
2008-06-20 03:44:57      Local0.Warning      172.17.41.254      Jun 20 03:44:57 edge_atsnh 72750356F867a (Jun 20 03:44:57) kernel deny in eth0 128 udp 20 41 66.203.95.202 24.147.113.85 500 500  (default)
--------------------------------------------
and this repeats for up to 70 until the VPN drops...
0
 

Author Comment

by:isdpcman
ID: 21832208
Here's what the log looks like when the VPN drops...
----------------------------------------------------------------------------------
2008-06-20 04:54:38      Local0.Debug      172.17.41.254      Jun 20 04:54:39 edge_atsnh 72750356F867a (Jun 20 04:54:39) iked iked_idle_loop: sending ping request to host 172.31.3.100 from 172.17.41.254
2008-06-20 04:54:38      Local0.Debug      172.17.41.254      Jun 20 04:54:39 edge_atsnh 72750356F867a (Jun 20 04:54:39) iked ping reply received from 172.31.3.100
2008-06-20 04:54:52      Local0.Warning      172.17.41.254      Jun 20 04:54:52 edge_atsnh 72750356F867a (Jun 20 04:54:52) kernel deny in eth0 328 udp 20 255 73.166.208.1 255.255.255.255 67 68  (broadcast)
2008-06-20 04:54:53      Local0.Warning      172.17.41.254      Jun 20 04:54:53 edge_atsnh 72750356F867a (Jun 20 04:54:53) kernel deny in eth0 128 udp 20 41 66.203.95.202 24.147.113.85 500 500  (default)
2008-06-20 04:55:00      Local0.Warning      172.17.41.254      Jun 20 04:55:00 edge_atsnh 72750356F867a (Jun 20 04:55:00) kernel deny in eth0 128 udp 20 41 66.203.95.202 24.147.113.85 500 500  (default)
2008-06-20 04:55:10      Local0.Warning      172.17.41.254      Jun 20 04:55:10 edge_atsnh 72750356F867a (Jun 20 04:55:10) kernel deny in eth0 128 udp 20 41 66.203.95.202 24.147.113.85 500 500  (default)
2008-06-20 04:55:20      Local0.Warning      172.17.41.254      Jun 20 04:55:21 edge_atsnh 72750356F867a (Jun 20 04:55:21) kernel deny in eth0 36 igmp 24 1 73.166.208.1 224.0.0.1  (default)
2008-06-20 04:55:27      Local0.Warning      172.17.41.254      Jun 20 04:55:27 edge_atsnh 72750356F867a (Jun 20 04:55:27) kernel deny in eth0 128 udp 20 41 66.203.95.202 24.147.113.85 500 500  (default)
2008-06-20 04:55:37      Local0.Warning      172.17.41.254      Jun 20 04:55:37 edge_atsnh 72750356F867a (Jun 20 04:55:37) kernel deny in eth0 485 udp 20 40 221.206.121.53 24.147.113.85 58502 1027  (default)
2008-06-20 04:55:38      Local0.Debug      172.17.41.254      Jun 20 04:55:39 edge_atsnh 72750356F867a (Jun 20 04:55:39) iked iked_idle_loop: sending ping request to host 172.31.3.100 from 172.17.41.254
2008-06-20 04:55:38      Local0.Debug      172.17.41.254      Jun 20 04:55:39 edge_atsnh 72750356F867a (Jun 20 04:55:39) iked ping reply received from 172.31.3.100
2008-06-20 04:56:07      Local0.Debug      172.17.41.254      Jun 20 04:56:08 edge_atsnh 72750356F867a (Jun 20 04:56:08) iked FROM  216.231.31.98 MM-HDR   ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
2008-06-20 04:56:08      Local0.Debug      172.17.41.254      Jun 20 04:56:08 edge_atsnh 72750356F867a (Jun 20 04:56:08) iked TO    216.231.31.98 MM-HDR   ISA_SA ISA_VENDORID
2008-06-20 04:56:15      Local0.Warning      172.17.41.254      Jun 20 04:56:16 edge_atsnh 72750356F867a (Jun 20 04:56:16) iked Header invalid (unable to verify, msg = ISA_SA)
2008-06-20 04:56:17      Local0.Debug      172.17.41.254      Jun 20 04:56:18 edge_atsnh 72750356F867a (Jun 20 04:56:18) iked RE-TO 216.231.31.98 MM-HDR   ISA_SA ISA_VENDORID
2008-06-20 04:56:20      Local0.Warning      172.17.41.254      Jun 20 04:56:21 edge_atsnh 72750356F867a (Jun 20 04:56:21) kernel deny in eth0 36 igmp 24 1 73.166.208.1 224.0.0.1  (default)
2008-06-20 04:56:21      Local0.Warning      172.17.41.254      Jun 20 04:56:21 edge_atsnh 72750356F867a (Jun 20 04:56:21) kernel deny in eth0 348 udp 20 255 73.166.208.1 255.255.255.255 67 68  (broadcast)
2008-06-20 04:56:23      Local0.Warning      172.17.41.254      Jun 20 04:56:23 edge_atsnh 72750356F867a (Jun 20 04:56:23) kernel deny in eth0 128 udp 20 41 66.203.95.202 24.147.113.85 500 500  (default)
2008-06-20 04:56:23      Local0.Info      172.17.41.254      Jun 20 04:56:24 edge_atsnh 72750356F867a (Jun 20 04:56:24) iked Skipping duplicate packet from 216.231.31.98
2008-06-20 04:56:27      Local0.Debug      172.17.41.254      Jun 20 04:56:28 edge_atsnh 72750356F867a (Jun 20 04:56:28) iked RE-TO 216.231.31.98 MM-HDR   ISA_SA ISA_VENDORID
2008-06-20 04:56:31      Local0.Warning      172.17.41.254      Jun 20 04:56:31 edge_atsnh 72750356F867a (Jun 20 04:56:31) kernel deny in eth0 128 udp 20 41 66.203.95.202 24.147.113.85 500 500  (default)
2008-06-20 04:56:31      Local0.Info      172.17.41.254      Jun 20 04:56:32 edge_atsnh 72750356F867a (Jun 20 04:56:32) iked Skipping duplicate packet from 216.231.31.98
2008-06-20 04:56:36      Local0.Warning      172.17.41.254      Jun 20 04:56:37 edge_atsnh 72750356F867a (Jun 20 04:56:37) kernel deny in eth0 328 udp 20 255 73.166.208.1 255.255.255.255 67 68  (broadcast)
2008-06-20 04:56:37      Local0.Debug      172.17.41.254      Jun 20 04:56:37 edge_atsnh 72750356F867a (Jun 20 04:56:37) iked RE-TO 216.231.31.98 MM-HDR   ISA_SA ISA_VENDORID
2008-06-20 04:56:37      Local0.Debug      172.17.41.254      Jun 20 04:56:38 edge_atsnh 72750356F867a (Jun 20 04:56:38) iked FROM  216.231.31.98 IF-HDR*#-E647D20E ISA_HASH ISA_DELETE
2008-06-20 04:56:38      Local0.Debug      172.17.41.254      Jun 20 04:56:39 edge_atsnh 72750356F867a (Jun 20 04:56:39) iked iked_idle_loop: sending ping request to host 172.31.3.100 from 172.17.41.254
2008-06-20 04:56:38      Local0.Debug      172.17.41.254      Jun 20 04:56:39 edge_atsnh 72750356F867a (Jun 20 04:56:39) iked ping reply received from 172.31.3.100
2008-06-20 04:56:40      Local0.Warning      172.17.41.254      Jun 20 04:56:40 edge_atsnh 72750356F867a (Jun 20 04:56:40) kernel deny in eth0 128 udp 20 41 66.203.95.202 24.147.113.85 500 500  (default)
2008-06-20 04:56:47      Local0.Debug      172.17.41.254      Jun 20 04:56:48 edge_atsnh 72750356F867a (Jun 20 04:56:48) iked RE-TO 216.231.31.98 MM-HDR   ISA_SA ISA_VENDORID
2008-06-20 04:56:57      Local0.Warning      172.17.41.254      Jun 20 04:56:57 edge_atsnh 72750356F867a (Jun 20 04:56:57) kernel deny in eth0 128 udp 20 41 66.203.95.202 24.147.113.85 500 500  (default)
2008-06-20 04:56:57      Local0.Debug      172.17.41.254      Jun 20 04:56:58 edge_atsnh 72750356F867a (Jun 20 04:56:58) iked RE-TO 216.231.31.98 MM-HDR   ISA_SA ISA_VENDORID
2008-06-20 04:56:59      Local0.Debug      172.17.41.254      Jun 20 04:57:00 edge_atsnh 72750356F867a (Jun 20 04:57:00) iked Deleting SA: peer        216.231.31.98
2008-06-20 04:56:59      Local0.Debug      172.17.41.254      Jun 20 04:57:00 edge_atsnh 72750356F867a (Jun 20 04:57:00) iked              my_cookie   234D10A61C352EBB
2008-06-20 04:56:59      Local0.Debug      172.17.41.254      Jun 20 04:57:00 edge_atsnh 72750356F867a (Jun 20 04:57:00) iked              peer_cookie 224C356A7D08862F
2008-06-20 04:57:07      Local0.Error      172.17.41.254      Jun 20 04:57:08 edge_atsnh 72750356F867a (Jun 20 04:57:08) iked Moving to next redundant gateway
2008-06-20 04:57:07      Local0.Error      172.17.41.254      Jun 20 04:57:08 edge_atsnh 72750356F867a (Jun 20 04:57:08) iked Deleting route to <216.231.31.98>
2008-06-20 04:57:07      Local0.Info      172.17.41.254      Jun 20 04:57:08 edge_atsnh 72750356F867a (Jun 20 04:57:08) iked add_host_routes: adding route to 216.231.31.98 via dev eth0 with gw 24.147.113.86
2008-06-20 04:57:20      Local0.Warning      172.17.41.254      Jun 20 04:57:21 edge_atsnh 72750356F867a (Jun 20 04:57:21) kernel deny in eth0 36 igmp 24 1 73.166.208.1 224.0.0.1  (default)
2008-06-20 04:57:29      Local0.Debug      172.17.41.254      Jun 20 04:57:30 edge_atsnh 72750356F867a (Jun 20 04:57:30) iked Deleting SA: peer        216.231.31.98
2008-06-20 04:57:29      Local0.Debug      172.17.41.254      Jun 20 04:57:30 edge_atsnh 72750356F867a (Jun 20 04:57:30) iked              my_cookie   DD16DEA7DB597EC7
2008-06-20 04:57:29      Local0.Debug      172.17.41.254      Jun 20 04:57:30 edge_atsnh 72750356F867a (Jun 20 04:57:30) iked              peer_cookie D806171ABB36C584
2008-06-20 04:57:29      Local0.Info      172.17.41.254      Jun 20 04:57:30 edge_atsnh 72750356F867a (Jun 20 04:57:30) iked ipsec_rgw_is_dynamic: unable to find id
2008-06-20 04:57:38      Local0.Debug      172.17.41.254      Jun 20 04:57:39 edge_atsnh 72750356F867a (Jun 20 04:57:39) iked iked_idle_loop: sending ping request to host 172.31.3.100 from 172.17.41.254
2008-06-20 04:57:48      Local0.Error      172.17.41.254      Jun 20 04:57:49 edge_atsnh 72750356F867a (Jun 20 04:57:49) iked no ping reply received from host at 172.31.3.100
2008-06-20 04:57:49      Local0.Warning      172.17.41.254      Jun 20 04:57:50 edge_atsnh 72750356F867a (Jun 20 04:57:50) kernel deny in eth0 40 tcp 20 96 125.46.42.15 24.147.113.85 6000 2967 syn  (default)
2008-06-20 04:57:53      Local0.Warning      172.17.41.254      Jun 20 04:57:53 edge_atsnh 72750356F867a (Jun 20 04:57:53) kernel deny in eth0 128 udp 20 41 66.203.95.202 24.147.113.85 500 500  (default)
2008-06-20 04:58:01      Local0.Warning      172.17.41.254      Jun 20 04:58:01 edge_atsnh 72750356F867a (Jun 20 04:58:01) kernel deny in eth0 128 udp 20 41 66.203.95.202 24.147.113.85 500 500  (default)
2008-06-20 04:58:11      Local0.Warning      172.17.41.254      Jun 20 04:58:11 edge_atsnh 72750356F867a (Jun 20 04:58:11) kernel deny in eth0 128 udp 20 41 66.203.95.202 24.147.113.85 500 500  (default)
2008-06-20 04:58:20      Local0.Warning      172.17.41.254      Jun 20 04:58:21 edge_atsnh 72750356F867a (Jun 20 04:58:21) kernel deny in eth0 36 igmp 24 1 73.166.208.1 224.0.0.1  (default)
2008-06-20 04:58:21      Local0.Warning      172.17.41.254      Jun 20 04:58:21 edge_atsnh 72750356F867a (Jun 20 04:58:21) kernel deny in eth0 348 udp 20 255 73.166.208.1 255.255.255.255 67 68  (broadcast)
2008-06-20 04:58:28      Local0.Warning      172.17.41.254      Jun 20 04:58:28 edge_atsnh 72750356F867a (Jun 20 04:58:28) kernel deny in eth0 128 udp 20 41 66.203.95.202 24.147.113.85 500 500  (default)
2008-06-20 04:58:33      Local0.Debug      172.17.41.254      Jun 20 04:58:34 edge_atsnh 72750356F867a (Jun 20 04:58:34) iked FROM  216.231.31.98 MM-HDR   ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
2008-06-20 04:58:34      Local0.Debug      172.17.41.254      Jun 20 04:58:34 edge_atsnh 72750356F867a (Jun 20 04:58:34) iked TO    216.231.31.98 MM-HDR   ISA_SA ISA_VENDORID
2008-06-20 04:58:34      Local0.Debug      172.17.41.254      Jun 20 04:58:34 edge_atsnh 72750356F867a (Jun 20 04:58:34) iked FROM  216.231.31.98 MM-HDR   ISA_KE ISA_NONCE ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID NAT-D NAT-D
2008-06-20 04:58:34      Local0.Error      172.17.41.254      Jun 20 04:58:35 edge_atsnh 72750356F867a (Jun 20 04:58:35) iked Rejecting peer XAUTH request: not configured
2008-06-20 04:58:34      Local0.Debug      172.17.41.254      Jun 20 04:58:35 edge_atsnh 72750356F867a (Jun 20 04:58:35) iked TO    216.231.31.98 MM-HDR   ISA_KE ISA_NONCE NAT-D NAT-D
2008-06-20 04:58:34      Local0.Debug      172.17.41.254      Jun 20 04:58:35 edge_atsnh 72750356F867a (Jun 20 04:58:35) iked CRYPTO ACTIVE after delay
2008-06-20 04:58:34      Local0.Debug      172.17.41.254      Jun 20 04:58:35 edge_atsnh 72750356F867a (Jun 20 04:58:35) iked FROM  216.231.31.98 MM-HDR*# ISA_ID ISA_HASH ISA_VENDORID
2008-06-20 04:58:34      Local0.Debug      172.17.41.254      Jun 20 04:58:35 edge_atsnh 72750356F867a (Jun 20 04:58:35) iked TO    216.231.31.98 MM-HDR*# ISA_ID ISA_HASH
2008-06-20 04:58:34      Local0.Debug      172.17.41.254      Jun 20 04:58:35 edge_atsnh 72750356F867a (Jun 20 04:58:35) iked FROM  216.231.31.98 QM-HDR*#-18C56B9C ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID ISA_NOTIFY
2008-06-20 04:58:34      Local0.Debug      172.17.41.254      Jun 20 04:58:35 edge_atsnh 72750356F867a (Jun 20 04:58:35) iked Received INITIAL_CONTACT message, mess_id=0x18C56B9C
2008-06-20 04:58:34      Local0.Warning      172.17.41.254      Jun 20 04:58:35 edge_atsnh 72750356F867a (Jun 20 04:58:35) iked Received INITIAL_CONTACT message from 216.231.31.98, expiring SAs (replay=0)
2008-06-20 04:58:34      Local0.Debug      172.17.41.254      Jun 20 04:58:35 edge_atsnh 72750356F867a (Jun 20 04:58:35) iked TO    216.231.31.98 QM-HDR*#-C02AF3F2 ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID
2008-06-20 04:58:34      Local0.Debug      172.17.41.254      Jun 20 04:58:35 edge_atsnh 72750356F867a (Jun 20 04:58:35) iked TO    216.231.31.98 QM-HDR*#-18C56B9C ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID
2008-06-20 04:58:34      Local0.Debug      172.17.41.254      Jun 20 04:58:35 edge_atsnh 72750356F867a (Jun 20 04:58:35) iked FROM  216.231.31.98 IF-HDR*#-FD5E1BAD ISA_HASH ISA_NOTIFY
2008-06-20 04:58:34      Local0.Debug      172.17.41.254      Jun 20 04:58:35 edge_atsnh 72750356F867a (Jun 20 04:58:35) iked Received NO_PROPOSAL_CHOSEN message, mess_id=0xFD5E1BAD
2008-06-20 04:58:34      Local0.Debug      172.17.41.254      Jun 20 04:58:35 edge_atsnh 72750356F867a (Jun 20 04:58:35) iked FROM  216.231.31.98 IF-HDR*#-44C69623 ISA_HASH ISA_DELETE
2008-06-20 04:58:43      Local0.Warning      172.17.41.254      Jun 20 04:58:44 edge_atsnh 72750356F867a (Jun 20 04:58:44) kernel deny in eth0 348 udp 20 255 73.166.208.1 255.255.255.255 67 68  (broadcast)
2008-06-20 04:58:49      Local0.Debug      172.17.41.254      Jun 20 04:58:49 edge_atsnh 72750356F867a (Jun 20 04:58:49) iked iked_idle_loop: sending ping request to host 172.31.3.100 from 172.17.41.254
2008-06-20 04:58:59      Local0.Error      172.17.41.254      Jun 20 04:58:59 edge_atsnh 72750356F867a (Jun 20 04:58:59) iked no ping reply received from host at 172.31.3.100
2008-06-20 04:58:59      Local0.Debug      172.17.41.254      Jun 20 04:59:00 edge_atsnh 72750356F867a (Jun 20 04:59:00) iked Deleting SA: peer        216.231.31.98
2008-06-20 04:58:59      Local0.Debug      172.17.41.254      Jun 20 04:59:00 edge_atsnh 72750356F867a (Jun 20 04:59:00) iked              my_cookie   69AE0AA166011A06
2008-06-20 04:58:59      Local0.Debug      172.17.41.254      Jun 20 04:59:00 edge_atsnh 72750356F867a (Jun 20 04:59:00) iked              peer_cookie E26B0868B1E716BE
2008-06-20 04:59:20      Local0.Warning      172.17.41.254      Jun 20 04:59:21 edge_atsnh 72750356F867a (Jun 20 04:59:21) kernel deny in eth0 36 igmp 24 1 73.166.208.1 224.0.0.1  (default)
2008-06-20 04:59:23      Local0.Warning      172.17.41.254      Jun 20 04:59:23 edge_atsnh 72750356F867a (Jun 20 04:59:23) kernel deny in eth0 128 udp 20 41 66.203.95.202 24.147.113.85 500 500  (default)
2008-06-20 04:59:31      Local0.Warning      172.17.41.254      Jun 20 04:59:31 edge_atsnh 72750356F867a (Jun 20 04:59:31) kernel deny in eth0 128 udp 20 41 66.203.95.202 24.147.113.85 500 500  (default)
2008-06-20 04:59:32      Local0.Info      172.17.41.254      Jun 20 04:59:33 edge_atsnh 72750356F867a (Jun 20 04:59:33) dhcpd DHCPACK on 172.17.41.105 to 00:50:ac:00:67:20 via eth1
2008-06-20 04:59:34      Local0.Warning      172.17.41.254      Jun 20 04:59:35 edge_atsnh 72750356F867a (Jun 20 04:59:35) kernel deny in eth0 328 udp 20 255 73.166.208.1 255.255.255.255 67 68  (broadcast)
2008-06-20 04:59:35      Local0.Warning      172.17.41.254      Jun 20 04:59:36 edge_atsnh 72750356F867a (Jun 20 04:59:36) kernel deny in eth0 328 udp 20 255 73.166.208.1 255.255.255.255 67 68  (broadcast)
2008-06-20 04:59:39      Local0.Debug      172.17.41.254      Jun 20 04:59:39 edge_atsnh 72750356F867a (Jun 20 04:59:39) iked FROM  216.231.31.98 MM-HDR   ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
2008-06-20 04:59:39      Local0.Debug      172.17.41.254      Jun 20 04:59:39 edge_atsnh 72750356F867a (Jun 20 04:59:39) iked TO    216.231.31.98 MM-HDR   ISA_SA ISA_VENDORID
2008-06-20 04:59:39      Local0.Warning      172.17.41.254      Jun 20 04:59:39 edge_atsnh 72750356F867a (Jun 20 04:59:39) kernel deny in eth0 128 udp 20 41 66.203.95.202 24.147.113.85 500 500  (default)
2008-06-20 04:59:39      Local0.Debug      172.17.41.254      Jun 20 04:59:39 edge_atsnh 72750356F867a (Jun 20 04:59:39) iked FROM  216.231.31.98 MM-HDR   ISA_KE ISA_NONCE ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID NAT-D NAT-D
2008-06-20 04:59:39      Local0.Error      172.17.41.254      Jun 20 04:59:40 edge_atsnh 72750356F867a (Jun 20 04:59:40) iked Rejecting peer XAUTH request: not configured
2008-06-20 04:59:39      Local0.Debug      172.17.41.254      Jun 20 04:59:40 edge_atsnh 72750356F867a (Jun 20 04:59:40) iked TO    216.231.31.98 MM-HDR   ISA_KE ISA_NONCE NAT-D NAT-D
2008-06-20 04:59:39      Local0.Debug      172.17.41.254      Jun 20 04:59:40 edge_atsnh 72750356F867a (Jun 20 04:59:40) iked CRYPTO ACTIVE after delay
2008-06-20 04:59:39      Local0.Debug      172.17.41.254      Jun 20 04:59:40 edge_atsnh 72750356F867a (Jun 20 04:59:40) iked FROM  216.231.31.98 MM-HDR*# ISA_ID ISA_HASH ISA_VENDORID
2008-06-20 04:59:39      Local0.Debug      172.17.41.254      Jun 20 04:59:40 edge_atsnh 72750356F867a (Jun 20 04:59:40) iked TO    216.231.31.98 MM-HDR*# ISA_ID ISA_HASH
2008-06-20 04:59:39      Local0.Debug      172.17.41.254      Jun 20 04:59:40 edge_atsnh 72750356F867a (Jun 20 04:59:40) iked FROM  216.231.31.98 QM-HDR*#-432D083E ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID ISA_NOTIFY
2008-06-20 04:59:39      Local0.Debug      172.17.41.254      Jun 20 04:59:40 edge_atsnh 72750356F867a (Jun 20 04:59:40) iked Received INITIAL_CONTACT message, mess_id=0x432D083E
2008-06-20 04:59:39      Local0.Warning      172.17.41.254      Jun 20 04:59:40 edge_atsnh 72750356F867a (Jun 20 04:59:40) iked Received INITIAL_CONTACT message from 216.231.31.98, expiring SAs (replay=0)
2008-06-20 04:59:39      Local0.Debug      172.17.41.254      Jun 20 04:59:40 edge_atsnh 72750356F867a (Jun 20 04:59:40) iked TO    216.231.31.98 QM-HDR*#-D5ADFC6E ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID
2008-06-20 04:59:39      Local0.Debug      172.17.41.254      Jun 20 04:59:40 edge_atsnh 72750356F867a (Jun 20 04:59:40) iked TO    216.231.31.98 QM-HDR*#-432D083E ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID
2008-06-20 04:59:39      Local0.Debug      172.17.41.254      Jun 20 04:59:40 edge_atsnh 72750356F867a (Jun 20 04:59:40) iked FROM  216.231.31.98 IF-HDR*#-14AE9653 ISA_HASH ISA_NOTIFY
2008-06-20 04:59:39      Local0.Debug      172.17.41.254      Jun 20 04:59:40 edge_atsnh 72750356F867a (Jun 20 04:59:40) iked Received NO_PROPOSAL_CHOSEN message, mess_id=0x14AE9653
2008-06-20 04:59:39      Local0.Debug      172.17.41.254      Jun 20 04:59:40 edge_atsnh 72750356F867a (Jun 20 04:59:40) iked FROM  216.231.31.98 IF-HDR*#-0D90EDD0 ISA_HASH ISA_DELETE
2008-06-20 04:59:48      Local0.Warning      172.17.41.254      Jun 20 04:59:49 edge_atsnh 72750356F867a (Jun 20 04:59:49) kernel deny in eth0 328 udp 20 255 73.166.208.1 255.255.255.255 67 68  (broadcast)
2008-06-20 04:59:57      Local0.Warning      172.17.41.254      Jun 20 04:59:57 edge_atsnh 72750356F867a (Jun 20 04:59:57) kernel deny in eth0 128 udp 20 41 66.203.95.202 24.147.113.85 500 500  (default)
2008-06-20 04:59:59      Local0.Debug      172.17.41.254      Jun 20 04:59:59 edge_atsnh 72750356F867a (Jun 20 04:59:59) iked iked_idle_loop: sending ping request to host 172.31.3.100 from 172.17.41.254
2008-06-20 04:59:59      Local0.Debug      172.17.41.254      Jun 20 05:00:00 edge_atsnh 72750356F867a (Jun 20 05:00:00) iked Deleting SA: peer        216.231.31.98
2008-06-20 04:59:59      Local0.Debug      172.17.41.254      Jun 20 05:00:00 edge_atsnh 72750356F867a (Jun 20 05:00:00) iked              my_cookie   0B9C18BB88DA7F52
2008-06-20 04:59:59      Local0.Debug      172.17.41.254      Jun 20 05:00:00 edge_atsnh 72750356F867a (Jun 20 05:00:00) iked              peer_cookie AB143158A80A9E08
2008-06-20 05:00:09      Local0.Error      172.17.41.254      Jun 20 05:00:09 edge_atsnh 72750356F867a (Jun 20 05:00:09) iked no ping reply received from host at 172.31.3.100
----------------------------------------------------
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 32

Expert Comment

by:dpk_wal
ID: 21836213
I am listing below the messages from the logs you have posted abd what they indicate:

The Phase I of VPN tunnel is not going through at this time:
2008-06-20 04:56:07      Local0.Debug      172.17.41.254      Jun 20 04:56:08 edge_atsnh 72750356F867a (Jun 20 04:56:08) iked FROM  216.231.31.98 MM-HDR   ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
2008-06-20 04:56:08      Local0.Debug      172.17.41.254      Jun 20 04:56:08 edge_atsnh 72750356F867a (Jun 20 04:56:08) iked TO    216.231.31.98 MM-HDR   ISA_SA ISA_VENDORID
2008-06-20 04:56:15      Local0.Warning      172.17.41.254      Jun 20 04:56:16 edge_atsnh 72750356F867a (Jun 20 04:56:16) iked Header invalid (unable to verify, msg = ISA_SA)

Next redundant gateway; have you configured two tunnels on Edge for the same remote public IP. If yes, then can you remove one of the tunnels and check.
2008-06-20 04:57:07      Local0.Error      172.17.41.254      Jun 20 04:57:08 edge_atsnh 72750356F867a (Jun 20 04:57:08) iked Moving to next redundant gateway

Here, Edge thinks that remote gateway is dynamic and it is unable to find the IP or resolve FQDN. But as I remember the remote gateway has static IP.
2008-06-20 04:57:29      Local0.Info      172.17.41.254      Jun 20 04:57:30 edge_atsnh 72750356F867a (Jun 20 04:57:30) iked ipsec_rgw_is_dynamic: unable to find id

Here, phase I completed; but phase II is not completing:
2008-06-20 04:59:39      Local0.Debug      172.17.41.254      Jun 20 04:59:40 edge_atsnh 72750356F867a (Jun 20 04:59:40) iked FROM  216.231.31.98 QM-HDR*#-432D083E ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID ISA_NOTIFY

So within 3 minutes, Edge is able to get phase II going. I cannot say for sure what is the problem; but for one of the members I helped on EE; we reset WG to factory defaults and then re-configured VPN and that had solved the redundant VPN problem.
I cannot say for sure at this point what is the problem, but resetting Edge is one of the solution we can try last.

Any update on setting DH 2 and it magically changing to 1.

What version of firmware is Edge running, you can upgrade to 10.x if not already on this version. This is the first thing we should try.

Please update.

Thank you.
0
 

Author Comment

by:isdpcman
ID: 21838002
The first two paragraphs is a bit foreign to me so I'll take a little more time later to digest.

I found the problem with DH reverting from 2 back to 1. Apparently the watchguard tech support (who I gave remote access to) imported a previous configuration where DH=1. I reset DH back to 2 and so far two days without a hitch. I'll review the logs to see if I'm getting any error messages. Thanks so far for your assistance.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 21839836
Please keep updated, thank you.
0
 

Author Comment

by:isdpcman
ID: 21879541
Hi... so far so good. Our VPN seems to be working now that we switched our DH group setting to 2 instead of 1. I'm not sure how to close this so we can close the question.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 21880834
Good to know that the problem is resolved! :)
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now