Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Site to Site VPN Tunnel

Posted on 2008-11-18
8
Medium Priority
?
1,190 Views
Last Modified: 2012-08-13
We have configured site to site IPSec VPN tunnel between Netscreen SSG and Nortel 1700. The said tunnel was working fine till last week, post to that we are facing issues of tunnel going down at specified time period and need to disable and enable the SA for VPN tunnel to get it active. This is become routine for the last one week.

Phase 1 : ESP/3DES/MD5 - 86400
Phase 2 : ESP/3des/MD5

We have got the logs from SSG -
IKE<XXX.xXX.XXX.XXX> re-trans timer expired, msg retry (6) (0001/0)
IKE XXX.xXX.XXX.XXX Phase 1: Retransmission limit has been reached

Syslogs from Nortel 1700 :
Nov 18 05:08:45 XXX.XXX.XXX.XXX  7376 11/18/2008 05:02:35 tEvtLgMgr 0 : Security [11] Session: network IPSEC[XXX.XXX.XXX.XXX-255.255.255.255] attempting login

Nov 18 05:08:45 XXX.XXX.XXX.XXX  7376 11/18/2008 05:02:35 tEvtLgMgr 0 : Security [11] Session: network IPSEC[XXX.XXX.XXX.XXX-255.255.255.255] logged in from gateway [XXX.XXX.XXX.XXX]

Nov 18 05:08:45 XXX.XXX.XXX.XXX  7376 11/18/2008 05:02:35 tEvtLgMgr 0 : Security [12] Session: IPSEC[XXX.XXX.XXX.XXX]:28836 physical addresses: remote XXX.XXX.XXX.XXX local XXX.XXX.XXX.XXX

Nov 18 05:08:45 XXX.XXX.XXX.XXX  7376 11/18/2008 05:02:35 tEvtLgMgr 0 : Security [12] Session: IPSEC[-]:29483 physical addresses: remote XXX.XXX.XXX.XXX local XXX.XXX.XXX.XXX

Nov 18 05:09:35 XXX.XXX.XXX.XXX  7376 11/18/2008 05:03:28 tEvtLgMgr 0 : Security [11] Session: IPSEC[XXX.XXX.XXX.XXX] attempting login

Nov 18 05:09:35 XXX.XXX.XXX.XXX  7376 11/18/2008 05:03:28 tEvtLgMgr 0 : Security [11] Session: IPSEC[XXX.XXX.XXX.XXX] attempting login

Nov 18 05:09:35 XXX.XXX.XXX.XXX  7376 11/18/2008 05:03:28 tEvtLgMgr 0 : Security [11] Session: IPSEC[XXX.XXX.XXX.XXX] attempting login

Nov 18 05:09:35 XXX.XXX.XXX.XXX  7376 11/18/2008 05:03:28 tEvtLgMgr 0 : Security [12] Session 912e2c0:  IPSEC[XXX.XXX.XXX.XXX]:28836 sib 0 logged out

Nov 18 05:09:35 XXX.XXX.XXX.XXX  7376 11/18/2008 05:03:28 tEvtLgMgr 0 : Security [11] Session: IPSEC[XXX.XXX.XXX.XXX] attempting login

Nov 18 05:09:35 XXX.XXX.XXX.XXX  7376 11/18/2008 05:03:28 tIsakmp 0 : Failed Login Attempt: Username=XXX.XXX.XXX.XXX: Date/Time=11/18/2008 05:03:28

.Nov 18 05:09:35 XXX.XXX.XXX.XXX  7376 11/18/2008 05:03:28 tIsakmp 0 : Failed Login Attempt: Username=XXX.XXX.XXX.XXX: Date/Time=11/18/2008 05:03:28

.Nov 18 05:09:35 XXX.XXX.XXX.XXX  7376 11/18/2008 05:03:28 tIsakmp 0 : Failed Login Attempt: Username=XXX.XXX.XXX.XXX: Date/Time=11/18/2008 05:03:28

Nov 18 05:10:41 XXX.XXX.XXX.XXX  7376 11/18/2008 05:04:32 tEvtLgMgr 0 : Security [13] Session: IPSEC[XXX.XXX.XXX.XXX]:29484 No response from client - logging out

Nov 18 05:10:41 XXX.XXX.XXX.XXX  7376 11/18/2008 05:04:32 tIsakmp 0 : Failed Login Attempt: Username=XXX.XXX.XXX.XXX: Date/Time=11/18/2008 05:04:32

0
Comment
Question by:AnandNallamala
  • 3
  • 3
7 Comments
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 22999823
It looks like a there is a config mismatch relating to  the key exchange.
I would double check to make sure nothing has been changed on either VPN.
The 1700's config log goes back 60 days so you should be able to track that end pretty easily.
0
 

Author Comment

by:AnandNallamala
ID: 23000902
We have solved the problem. Nortel 1700 sending p1 with different set of policies. We have changed SSG p1 with ESP/SHA/3des and the tunnel is back and active.
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 23021165
It sounds like someone did change something in the config.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 

Author Comment

by:AnandNallamala
ID: 23028016
What we heard from my client is that Nortel1700 doesn't have any P1 config, it accepts other side VPN config. I am not sure on this, I dont have much knowledge in Nortel Contivity. kind wired.
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 23034078
They have the same information in the Nortel 1700 they just don't call it p1.
0
 

Author Comment

by:AnandNallamala
ID: 23833897
The problem has been solved. We can close this topic.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 23886702
PAQed with points refunded (250)

Computer101
EE Admin
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question