Solved

Cisco RVS4000 drops tunnel DPD Error: R_U_THERE has invalid cookie

Posted on 2010-08-31
18
1,773 Views
Last Modified: 2012-05-10
I am trying to configure a VPN connection between a Cisco RVS4000 and PIX 501e.  The tunnel will connect periodically, but the tunnel drops a few minutes later with the following errors:

Aug 31 09:00:37 - [VPN Log]: "VPN1" #1: DPD Error: R_U_THERE has invalid rcookie (broken Cisco?)
Aug 31 09:00:37 - [VPN Log]: "VPN1" #1: sending encrypted notification INVALID_COOKIE to x.x.x.x:500
Aug 31 09:01:07 - [VPN Log]: "VPN1" #1: received Delete SA payload: replace IPSEC State #2 in 10 seconds
Aug 31 09:01:07 - [VPN Log]: "VPN1" #1: received and ignored informational message
Aug 31 09:01:08 - [VPN Log]: "VPN1" #1: received Delete SA payload: deleting ISAKMP State #1

The ACLs and the protected subnets match, so it seems like a timing problem, but I don't know what I am missing.

The ISAKMP Policy on the PIX is as follows:

isakmp keepalive 30 30
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
0
Comment
Question by:evan021702
  • 8
  • 7
18 Comments
 
LVL 1

Expert Comment

by:andrew_89
Comment Utility
This looks like maybe keep alive times don't match. The packet is malformed as one side is using an sa that has already been removed. Try clearing sessions on both sides and make sure keep alive and all other configs are the same between 2 endpoints.


Also could be other things as well but this is a start anyway...
0
 
LVL 6

Author Comment

by:evan021702
Comment Utility
Is there a way to configure the keepalive on the RVS4000?  The PIX is already using isakmp keepalive 30 30 globally.  I have been passing constant traffic through the VPN tunnel and it has not gone down, so I believe you are right, but I need to know the keep alive timing on the RVS to make sure they are the same and I cannot find where to configure that anywhere.
0
 
LVL 1

Expert Comment

by:andrew_89
Comment Utility
Hmm. I have not worked with a cisco RVS4000 and am not familiar with its CLI..   Try removing the keep-alive from the PIX and then see if the issue continues. I suspect it will not.

0
 
LVL 1

Expert Comment

by:andrew_89
Comment Utility
Ha sorry I did not read your entire post. It appears you already removed the keep-alive, which is why you have no issues.. :)
0
 
LVL 1

Expert Comment

by:andrew_89
Comment Utility
I found something in a cisco forum that appears to indicate that this device does not support DPD , so you will not be able to to use keep-alives..

https://supportforums.cisco.com/message/3100729
0
 
LVL 6

Author Comment

by:evan021702
Comment Utility
I have not removed keep alive from the PIX, i just started a ping job from the remote office to the main office.  The tunnel stays up as long as there is traffic.  I cannot just remove keep alive from the PIX as there are six other tunnels on that device. I am upgrading the firmware as cisco just came out with a new version.
0
 
LVL 1

Expert Comment

by:andrew_89
Comment Utility
yes they did and that will not solve this issue as it still does not have support for DPD.
0
 
LVL 6

Author Comment

by:evan021702
Comment Utility
So you are saying my only solution is to turn off the keepalive on the PIX.  How will that affect the other tunnels?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Accepted Solution

by:
andrew_89 earned 500 total points
Comment Utility
No that will be a headache as well and will cause more issues then its worth. Unfortunately I don't see how you can get around this issue. Everything I have looked at says either remove the keep-alive or go get the RV042 or RVL200 ..

I have a pix that has 16 tunnels with no DPD and is pretty stable. However there is value to using DPD and there are some applications that you would have to for various reasons.

maybe someone else will have some magic here but I doubt it.
0
 
LVL 6

Author Comment

by:evan021702
Comment Utility
What if I do not use DPD, would the tunnel go down until traffic tries to cross it?  What are the possible drawbacks to it?  Would the tunnel not come back on automatically if the PIX on the remote end were rebooted?
0
 
LVL 1

Assisted Solution

by:andrew_89
andrew_89 earned 500 total points
Comment Utility
The biggest drawback is if there is some issue on either end the traffic could get blackholed in the meantime until the sa/ike timers  expired and forced a re-negotiation.  You would be forced to force it by doing clear crypto ipsec sa....

Honestly,if I had a choice I would be using it in my environment. The overhead is worth it, which you would learn the first time you have some network blip and people are complaining about VPN tunnel issues.  You would see things like , SPI errors as one host will still try to send packets to an sa that is already broken down but since there are no keep-alives, it has no idea of the state of the other sa.
0
 
LVL 6

Author Comment

by:evan021702
Comment Utility
Thanks andrew, I am waiting on a call back from Cisco to confirm that they have not added this functionality.  Once I hear back I will award points.  Thanks again!
0
 
LVL 6

Author Comment

by:evan021702
Comment Utility
Quick side question, could I disable isakmp keepalive for just the single tunnel on the PIX?
0
 
LVL 6

Author Comment

by:evan021702
Comment Utility
Would the invalid spi recovery help in this situation?  

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_ispir.html

If the keepalive is tearing down the old tunnel, then would the recovery notify the RVS to create a new tunnel?
0
 
LVL 1

Assisted Solution

by:andrew_89
andrew_89 earned 500 total points
Comment Utility
No I have been trying to find a way to do this for a single tunnel but since the commands are global on the pix, you cant do it. In theory the SPi recovery should cause the re-negotiation but imagine the overhead that you would get from the tunnel constantly going up/down again.

SPI recovery would help if you had no keep-alive configured. So instead of an end not knowing the state of the other side, the local host will know when it receives an invalid packet for a SA that is gone it will try to correct this by sending an error packet to the originator. The sadb is supposed to resynch and hence resolve the issue.

0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now