Solved

Cisco RVS4000 drops tunnel DPD Error: R_U_THERE has invalid cookie

Posted on 2010-08-31
18
1,784 Views
Last Modified: 2012-05-10
I am trying to configure a VPN connection between a Cisco RVS4000 and PIX 501e.  The tunnel will connect periodically, but the tunnel drops a few minutes later with the following errors:

Aug 31 09:00:37 - [VPN Log]: "VPN1" #1: DPD Error: R_U_THERE has invalid rcookie (broken Cisco?)
Aug 31 09:00:37 - [VPN Log]: "VPN1" #1: sending encrypted notification INVALID_COOKIE to x.x.x.x:500
Aug 31 09:01:07 - [VPN Log]: "VPN1" #1: received Delete SA payload: replace IPSEC State #2 in 10 seconds
Aug 31 09:01:07 - [VPN Log]: "VPN1" #1: received and ignored informational message
Aug 31 09:01:08 - [VPN Log]: "VPN1" #1: received Delete SA payload: deleting ISAKMP State #1

The ACLs and the protected subnets match, so it seems like a timing problem, but I don't know what I am missing.

The ISAKMP Policy on the PIX is as follows:

isakmp keepalive 30 30
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
0
Comment
Question by:evan021702
  • 8
  • 7
18 Comments
 
LVL 1

Expert Comment

by:andrew_89
ID: 33569765
This looks like maybe keep alive times don't match. The packet is malformed as one side is using an sa that has already been removed. Try clearing sessions on both sides and make sure keep alive and all other configs are the same between 2 endpoints.


Also could be other things as well but this is a start anyway...
0
 
LVL 6

Author Comment

by:evan021702
ID: 33570651
Is there a way to configure the keepalive on the RVS4000?  The PIX is already using isakmp keepalive 30 30 globally.  I have been passing constant traffic through the VPN tunnel and it has not gone down, so I believe you are right, but I need to know the keep alive timing on the RVS to make sure they are the same and I cannot find where to configure that anywhere.
0
 
LVL 1

Expert Comment

by:andrew_89
ID: 33571493
Hmm. I have not worked with a cisco RVS4000 and am not familiar with its CLI..   Try removing the keep-alive from the PIX and then see if the issue continues. I suspect it will not.

0
 
LVL 1

Expert Comment

by:andrew_89
ID: 33571512
Ha sorry I did not read your entire post. It appears you already removed the keep-alive, which is why you have no issues.. :)
0
 
LVL 1

Expert Comment

by:andrew_89
ID: 33571540
I found something in a cisco forum that appears to indicate that this device does not support DPD , so you will not be able to to use keep-alives..

https://supportforums.cisco.com/message/3100729
0
 
LVL 6

Author Comment

by:evan021702
ID: 33571572
I have not removed keep alive from the PIX, i just started a ping job from the remote office to the main office.  The tunnel stays up as long as there is traffic.  I cannot just remove keep alive from the PIX as there are six other tunnels on that device. I am upgrading the firmware as cisco just came out with a new version.
0
 
LVL 1

Expert Comment

by:andrew_89
ID: 33572345
yes they did and that will not solve this issue as it still does not have support for DPD.
0
 
LVL 6

Author Comment

by:evan021702
ID: 33572361
So you are saying my only solution is to turn off the keepalive on the PIX.  How will that affect the other tunnels?
0
Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

 
LVL 1

Accepted Solution

by:
andrew_89 earned 500 total points
ID: 33572422
No that will be a headache as well and will cause more issues then its worth. Unfortunately I don't see how you can get around this issue. Everything I have looked at says either remove the keep-alive or go get the RV042 or RVL200 ..

I have a pix that has 16 tunnels with no DPD and is pretty stable. However there is value to using DPD and there are some applications that you would have to for various reasons.

maybe someone else will have some magic here but I doubt it.
0
 
LVL 6

Author Comment

by:evan021702
ID: 33572445
What if I do not use DPD, would the tunnel go down until traffic tries to cross it?  What are the possible drawbacks to it?  Would the tunnel not come back on automatically if the PIX on the remote end were rebooted?
0
 
LVL 1

Assisted Solution

by:andrew_89
andrew_89 earned 500 total points
ID: 33572494
The biggest drawback is if there is some issue on either end the traffic could get blackholed in the meantime until the sa/ike timers  expired and forced a re-negotiation.  You would be forced to force it by doing clear crypto ipsec sa....

Honestly,if I had a choice I would be using it in my environment. The overhead is worth it, which you would learn the first time you have some network blip and people are complaining about VPN tunnel issues.  You would see things like , SPI errors as one host will still try to send packets to an sa that is already broken down but since there are no keep-alives, it has no idea of the state of the other sa.
0
 
LVL 6

Author Comment

by:evan021702
ID: 33577278
Thanks andrew, I am waiting on a call back from Cisco to confirm that they have not added this functionality.  Once I hear back I will award points.  Thanks again!
0
 
LVL 6

Author Comment

by:evan021702
ID: 33577803
Quick side question, could I disable isakmp keepalive for just the single tunnel on the PIX?
0
 
LVL 6

Author Comment

by:evan021702
ID: 33577889
Would the invalid spi recovery help in this situation?  

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_ispir.html

If the keepalive is tearing down the old tunnel, then would the recovery notify the RVS to create a new tunnel?
0
 
LVL 1

Assisted Solution

by:andrew_89
andrew_89 earned 500 total points
ID: 33578505
No I have been trying to find a way to do this for a single tunnel but since the commands are global on the pix, you cant do it. In theory the SPi recovery should cause the re-negotiation but imagine the overhead that you would get from the tunnel constantly going up/down again.

SPI recovery would help if you had no keep-alive configured. So instead of an end not knowing the state of the other side, the local host will know when it receives an invalid packet for a SA that is gone it will try to correct this by sending an error packet to the originator. The sadb is supposed to resynch and hence resolve the issue.

0
 
LVL 68

Expert Comment

by:Qlemo
ID: 34459528
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Etherchannel trunking 10 40
Tools to detect weak WiFi routers prior connecting to it 14 103
Valid LIN protocol Protected ID values 1 20
EIGRP STUB 19 36
Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now