VPN issues

Thirst4Knowledge
Thirst4Knowledge used Ask the Experts™
on
Has anyone come across these problems before ?  I have a problem with a vpn tunnel that fails at least once a week. but its not exhibiting the usual behaviour on failure

I have provided some logs..

one thing I was particularly interested in is the output :

IP = 123.1.1.1, Send Altiga/Cisco VPN3000/Cisco ASA GW VID


Because the device on the other end is non of those devices !!

ANy ideas ?

Thanks
T4K


Group = 123.1.1.1, IP = 123.1.1.1, Error: Unable to remove PeerTblEntry
Group = 123.1.1.1, IP = 123.1.1.1, Removing peer from peer table failed, no match!
IP = 123.1.1.1, IKE_DECODE SENDING Message (msgid=ad6621ec) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Group = 123.1.1.1, IP = 123.1.1.1, constructing qm hash payload
Group = 123.1.1.1, IP = 123.1.1.1, constructing IKE delete payload
Group = 123.1.1.1, IP = 123.1.1.1, constructing blank hash payload
Group = 123.1.1.1, IP = 123.1.1.1, sending delete/delete with reason message
Group = 123.1.1.1, IP = 123.1.1.1, IKE SA MM:d1bb6d94 terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Group = 123.1.1.1, IP = 123.1.1.1, IKE MM Responder FSM error history (struct &0xdc0b41f8)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_SND_MSG6_H, EV_SND_MSG_OK-->MM_SND_MSG6_H, EV_SND_MSG-->MM_SND_MSG6, EV_SND_MSG-->MM_BLD_MSG6, EV_ENCRYPT_OK-->MM_BLD_MSG6, NullEvent-->MM_BLD_MSG6, EV_ENCRYPT_MSG-->MM_BLD_MSG6, EV_CHECK_IA
Group = 123.1.1.1, IP = 123.1.1.1, Failure during phase 1 rekeying attempt due to collision
IP = 123.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 60
Group = 123.1.1.1, IP = 123.1.1.1, Computing hash for ISAKMP
Group = 123.1.1.1, IP = 123.1.1.1, constructing hash payload
Group = 123.1.1.1, IP = 123.1.1.1, constructing ID payload
IP = 123.1.1.1, Connection landed on tunnel_group 123.1.1.1
Group = 123.1.1.1, IP = 123.1.1.1, Computing hash for ISAKMP
Group = 123.1.1.1, IP = 123.1.1.1, processing hash payload
Group = 123.1.1.1, IP = 123.1.1.1, ID_IPV4_ADDR ID received
Group = 123.1.1.1, IP = 123.1.1.1, processing ID payload
IP = 123.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 60
IP = 123.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Group = 123.1.1.1, IP = 123.1.1.1, Generating keys for Responder...
IP = 123.1.1.1, Connection landed on tunnel_group 123.1.1.1
IP = 123.1.1.1, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
IP = 123.1.1.1, constructing VID payload
IP = 123.1.1.1, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
IP = 123.1.1.1, Send IOS VID
IP = 123.1.1.1, constructing xauth V6 VID payload
IP = 123.1.1.1, constructing Cisco Unity VID payload
IP = 123.1.1.1, constructing nonce payload
IP = 123.1.1.1, constructing ke payload
IP = 123.1.1.1, processing nonce payload
IP = 123.1.1.1, processing ISA_KE payload

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2010

Commented:
I hope yours is a site-to-site vpn tunnel . could you please show the configs of both VPN peers.

Author

Commented:
Yes its a site-to-site tunnel

One side is the ASA the other is a draytek 2600

I have 40 other peers with the same configs and they all work fine.  As you may know the drayteks don have configs I can show you its all gui

but there is the ASA side:


crypto map outside_map 11 set peer 123.1.1.1

access-list no-nat extended permit ip ASA-Inside Network 255.255.248.0 Remote_Office 255.255.255.0

access-list outside_cryptomap_39 extended permit ip ASA-Inside Network 255.255.248.0 Remote_Office 255.255.255.0

route outside Remote_Office 255.255.255.0 321.1.1.1 1

crypto map outside_map 39 match address outside_cryptomap_11
crypto map outside_map 39 set peer 123.1.1.1
crypto map outside_map 39 set transform-set mytransoform
crypto map outside_map 39 set security-association lifetime seconds 86400


Please let me know if you need anything else ?

Thanks
T4K
Top Expert 2010
Commented:
no idont know about the other device,

one thing i can suggest u . may be because of  ISAKMP lifetime on both the VPN Concentrator and the remote site (VPN) does not match. The default ISAKMP lifetime on the VPN Concentrator is 86400

so just check it in other side
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

Author

Commented:
both sides are 86400

when you reffer to VPN concentrator are you reffering to the ASA firewall?  The only reason I ask is that there are no VPN concentrators on either side of the tunnel.

One side is a cisco ASA the other side of the tunnel is a draytek vigor 2600
Im going to start cluthing at straws here and mention that the draytek does have a problem with keeping time.. it keeps reseting its time back to jan 1st
I have setup an NTP request on the Draytek and it is now showing the correct time and date,

will see if this keeps it stable..
Top Expert 2010
Commented:
sorry its ASA firewall

Author

Commented:
All tunnels that were displaying this behaviour have now become stable and re-initiate with no problems

it seems to be all the older draytek models that cant keep time anymore (vigor 2600)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial