Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco RVS4000 drops tunnel DPD Error: R_U_THERE has invalid cookie

Posted on 2010-08-31
18
Medium Priority
?
1,863 Views
Last Modified: 2012-05-10
I am trying to configure a VPN connection between a Cisco RVS4000 and PIX 501e.  The tunnel will connect periodically, but the tunnel drops a few minutes later with the following errors:

Aug 31 09:00:37 - [VPN Log]: "VPN1" #1: DPD Error: R_U_THERE has invalid rcookie (broken Cisco?)
Aug 31 09:00:37 - [VPN Log]: "VPN1" #1: sending encrypted notification INVALID_COOKIE to x.x.x.x:500
Aug 31 09:01:07 - [VPN Log]: "VPN1" #1: received Delete SA payload: replace IPSEC State #2 in 10 seconds
Aug 31 09:01:07 - [VPN Log]: "VPN1" #1: received and ignored informational message
Aug 31 09:01:08 - [VPN Log]: "VPN1" #1: received Delete SA payload: deleting ISAKMP State #1

The ACLs and the protected subnets match, so it seems like a timing problem, but I don't know what I am missing.

The ISAKMP Policy on the PIX is as follows:

isakmp keepalive 30 30
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
0
Comment
Question by:evan021702
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
18 Comments
 
LVL 1

Expert Comment

by:andrew_89
ID: 33569765
This looks like maybe keep alive times don't match. The packet is malformed as one side is using an sa that has already been removed. Try clearing sessions on both sides and make sure keep alive and all other configs are the same between 2 endpoints.


Also could be other things as well but this is a start anyway...
0
 
LVL 6

Author Comment

by:evan021702
ID: 33570651
Is there a way to configure the keepalive on the RVS4000?  The PIX is already using isakmp keepalive 30 30 globally.  I have been passing constant traffic through the VPN tunnel and it has not gone down, so I believe you are right, but I need to know the keep alive timing on the RVS to make sure they are the same and I cannot find where to configure that anywhere.
0
 
LVL 1

Expert Comment

by:andrew_89
ID: 33571493
Hmm. I have not worked with a cisco RVS4000 and am not familiar with its CLI..   Try removing the keep-alive from the PIX and then see if the issue continues. I suspect it will not.

0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
LVL 1

Expert Comment

by:andrew_89
ID: 33571512
Ha sorry I did not read your entire post. It appears you already removed the keep-alive, which is why you have no issues.. :)
0
 
LVL 1

Expert Comment

by:andrew_89
ID: 33571540
I found something in a cisco forum that appears to indicate that this device does not support DPD , so you will not be able to to use keep-alives..

https://supportforums.cisco.com/message/3100729
0
 
LVL 6

Author Comment

by:evan021702
ID: 33571572
I have not removed keep alive from the PIX, i just started a ping job from the remote office to the main office.  The tunnel stays up as long as there is traffic.  I cannot just remove keep alive from the PIX as there are six other tunnels on that device. I am upgrading the firmware as cisco just came out with a new version.
0
 
LVL 1

Expert Comment

by:andrew_89
ID: 33572345
yes they did and that will not solve this issue as it still does not have support for DPD.
0
 
LVL 6

Author Comment

by:evan021702
ID: 33572361
So you are saying my only solution is to turn off the keepalive on the PIX.  How will that affect the other tunnels?
0
 
LVL 1

Accepted Solution

by:
andrew_89 earned 2000 total points
ID: 33572422
No that will be a headache as well and will cause more issues then its worth. Unfortunately I don't see how you can get around this issue. Everything I have looked at says either remove the keep-alive or go get the RV042 or RVL200 ..

I have a pix that has 16 tunnels with no DPD and is pretty stable. However there is value to using DPD and there are some applications that you would have to for various reasons.

maybe someone else will have some magic here but I doubt it.
0
 
LVL 6

Author Comment

by:evan021702
ID: 33572445
What if I do not use DPD, would the tunnel go down until traffic tries to cross it?  What are the possible drawbacks to it?  Would the tunnel not come back on automatically if the PIX on the remote end were rebooted?
0
 
LVL 1

Assisted Solution

by:andrew_89
andrew_89 earned 2000 total points
ID: 33572494
The biggest drawback is if there is some issue on either end the traffic could get blackholed in the meantime until the sa/ike timers  expired and forced a re-negotiation.  You would be forced to force it by doing clear crypto ipsec sa....

Honestly,if I had a choice I would be using it in my environment. The overhead is worth it, which you would learn the first time you have some network blip and people are complaining about VPN tunnel issues.  You would see things like , SPI errors as one host will still try to send packets to an sa that is already broken down but since there are no keep-alives, it has no idea of the state of the other sa.
0
 
LVL 6

Author Comment

by:evan021702
ID: 33577278
Thanks andrew, I am waiting on a call back from Cisco to confirm that they have not added this functionality.  Once I hear back I will award points.  Thanks again!
0
 
LVL 6

Author Comment

by:evan021702
ID: 33577803
Quick side question, could I disable isakmp keepalive for just the single tunnel on the PIX?
0
 
LVL 6

Author Comment

by:evan021702
ID: 33577889
Would the invalid spi recovery help in this situation?  

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_ispir.html

If the keepalive is tearing down the old tunnel, then would the recovery notify the RVS to create a new tunnel?
0
 
LVL 1

Assisted Solution

by:andrew_89
andrew_89 earned 2000 total points
ID: 33578505
No I have been trying to find a way to do this for a single tunnel but since the commands are global on the pix, you cant do it. In theory the SPi recovery should cause the re-negotiation but imagine the overhead that you would get from the tunnel constantly going up/down again.

SPI recovery would help if you had no keep-alive configured. So instead of an end not knowing the state of the other side, the local host will know when it receives an invalid packet for a SA that is gone it will try to correct this by sending an error packet to the originator. The sadb is supposed to resynch and hence resolve the issue.

0
 
LVL 71

Expert Comment

by:Qlemo
ID: 34459528
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question