Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1883
  • Last Modified:

Cisco RVS4000 drops tunnel DPD Error: R_U_THERE has invalid cookie

I am trying to configure a VPN connection between a Cisco RVS4000 and PIX 501e.  The tunnel will connect periodically, but the tunnel drops a few minutes later with the following errors:

Aug 31 09:00:37 - [VPN Log]: "VPN1" #1: DPD Error: R_U_THERE has invalid rcookie (broken Cisco?)
Aug 31 09:00:37 - [VPN Log]: "VPN1" #1: sending encrypted notification INVALID_COOKIE to x.x.x.x:500
Aug 31 09:01:07 - [VPN Log]: "VPN1" #1: received Delete SA payload: replace IPSEC State #2 in 10 seconds
Aug 31 09:01:07 - [VPN Log]: "VPN1" #1: received and ignored informational message
Aug 31 09:01:08 - [VPN Log]: "VPN1" #1: received Delete SA payload: deleting ISAKMP State #1

The ACLs and the protected subnets match, so it seems like a timing problem, but I don't know what I am missing.

The ISAKMP Policy on the PIX is as follows:

isakmp keepalive 30 30
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
0
evan021702
Asked:
evan021702
  • 8
  • 7
3 Solutions
 
andrew_89Commented:
This looks like maybe keep alive times don't match. The packet is malformed as one side is using an sa that has already been removed. Try clearing sessions on both sides and make sure keep alive and all other configs are the same between 2 endpoints.


Also could be other things as well but this is a start anyway...
0
 
evan021702Author Commented:
Is there a way to configure the keepalive on the RVS4000?  The PIX is already using isakmp keepalive 30 30 globally.  I have been passing constant traffic through the VPN tunnel and it has not gone down, so I believe you are right, but I need to know the keep alive timing on the RVS to make sure they are the same and I cannot find where to configure that anywhere.
0
 
andrew_89Commented:
Hmm. I have not worked with a cisco RVS4000 and am not familiar with its CLI..   Try removing the keep-alive from the PIX and then see if the issue continues. I suspect it will not.

0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
andrew_89Commented:
Ha sorry I did not read your entire post. It appears you already removed the keep-alive, which is why you have no issues.. :)
0
 
andrew_89Commented:
I found something in a cisco forum that appears to indicate that this device does not support DPD , so you will not be able to to use keep-alives..

https://supportforums.cisco.com/message/3100729
0
 
evan021702Author Commented:
I have not removed keep alive from the PIX, i just started a ping job from the remote office to the main office.  The tunnel stays up as long as there is traffic.  I cannot just remove keep alive from the PIX as there are six other tunnels on that device. I am upgrading the firmware as cisco just came out with a new version.
0
 
andrew_89Commented:
yes they did and that will not solve this issue as it still does not have support for DPD.
0
 
evan021702Author Commented:
So you are saying my only solution is to turn off the keepalive on the PIX.  How will that affect the other tunnels?
0
 
andrew_89Commented:
No that will be a headache as well and will cause more issues then its worth. Unfortunately I don't see how you can get around this issue. Everything I have looked at says either remove the keep-alive or go get the RV042 or RVL200 ..

I have a pix that has 16 tunnels with no DPD and is pretty stable. However there is value to using DPD and there are some applications that you would have to for various reasons.

maybe someone else will have some magic here but I doubt it.
0
 
evan021702Author Commented:
What if I do not use DPD, would the tunnel go down until traffic tries to cross it?  What are the possible drawbacks to it?  Would the tunnel not come back on automatically if the PIX on the remote end were rebooted?
0
 
andrew_89Commented:
The biggest drawback is if there is some issue on either end the traffic could get blackholed in the meantime until the sa/ike timers  expired and forced a re-negotiation.  You would be forced to force it by doing clear crypto ipsec sa....

Honestly,if I had a choice I would be using it in my environment. The overhead is worth it, which you would learn the first time you have some network blip and people are complaining about VPN tunnel issues.  You would see things like , SPI errors as one host will still try to send packets to an sa that is already broken down but since there are no keep-alives, it has no idea of the state of the other sa.
0
 
evan021702Author Commented:
Thanks andrew, I am waiting on a call back from Cisco to confirm that they have not added this functionality.  Once I hear back I will award points.  Thanks again!
0
 
evan021702Author Commented:
Quick side question, could I disable isakmp keepalive for just the single tunnel on the PIX?
0
 
evan021702Author Commented:
Would the invalid spi recovery help in this situation?  

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_ispir.html

If the keepalive is tearing down the old tunnel, then would the recovery notify the RVS to create a new tunnel?
0
 
andrew_89Commented:
No I have been trying to find a way to do this for a single tunnel but since the commands are global on the pix, you cant do it. In theory the SPi recovery should cause the re-negotiation but imagine the overhead that you would get from the tunnel constantly going up/down again.

SPI recovery would help if you had no keep-alive configured. So instead of an end not knowing the state of the other side, the local host will know when it receives an invalid packet for a SA that is gone it will try to correct this by sending an error packet to the originator. The sadb is supposed to resynch and hence resolve the issue.

0
 
QlemoC++ DeveloperCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 8
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now