Link to home
Start Free TrialLog in
Avatar of Thirst4Knowledge
Thirst4Knowledge

asked on

VPN issues

Has anyone come across these problems before ?  I have a problem with a vpn tunnel that fails at least once a week. but its not exhibiting the usual behaviour on failure

I have provided some logs..

one thing I was particularly interested in is the output :

IP = 123.1.1.1, Send Altiga/Cisco VPN3000/Cisco ASA GW VID


Because the device on the other end is non of those devices !!

ANy ideas ?

Thanks
T4K


Group = 123.1.1.1, IP = 123.1.1.1, Error: Unable to remove PeerTblEntry
Group = 123.1.1.1, IP = 123.1.1.1, Removing peer from peer table failed, no match!
IP = 123.1.1.1, IKE_DECODE SENDING Message (msgid=ad6621ec) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Group = 123.1.1.1, IP = 123.1.1.1, constructing qm hash payload
Group = 123.1.1.1, IP = 123.1.1.1, constructing IKE delete payload
Group = 123.1.1.1, IP = 123.1.1.1, constructing blank hash payload
Group = 123.1.1.1, IP = 123.1.1.1, sending delete/delete with reason message
Group = 123.1.1.1, IP = 123.1.1.1, IKE SA MM:d1bb6d94 terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Group = 123.1.1.1, IP = 123.1.1.1, IKE MM Responder FSM error history (struct &0xdc0b41f8)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_SND_MSG6_H, EV_SND_MSG_OK-->MM_SND_MSG6_H, EV_SND_MSG-->MM_SND_MSG6, EV_SND_MSG-->MM_BLD_MSG6, EV_ENCRYPT_OK-->MM_BLD_MSG6, NullEvent-->MM_BLD_MSG6, EV_ENCRYPT_MSG-->MM_BLD_MSG6, EV_CHECK_IA
Group = 123.1.1.1, IP = 123.1.1.1, Failure during phase 1 rekeying attempt due to collision
IP = 123.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 60
Group = 123.1.1.1, IP = 123.1.1.1, Computing hash for ISAKMP
Group = 123.1.1.1, IP = 123.1.1.1, constructing hash payload
Group = 123.1.1.1, IP = 123.1.1.1, constructing ID payload
IP = 123.1.1.1, Connection landed on tunnel_group 123.1.1.1
Group = 123.1.1.1, IP = 123.1.1.1, Computing hash for ISAKMP
Group = 123.1.1.1, IP = 123.1.1.1, processing hash payload
Group = 123.1.1.1, IP = 123.1.1.1, ID_IPV4_ADDR ID received
Group = 123.1.1.1, IP = 123.1.1.1, processing ID payload
IP = 123.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 60
IP = 123.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Group = 123.1.1.1, IP = 123.1.1.1, Generating keys for Responder...
IP = 123.1.1.1, Connection landed on tunnel_group 123.1.1.1
IP = 123.1.1.1, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
IP = 123.1.1.1, constructing VID payload
IP = 123.1.1.1, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
IP = 123.1.1.1, Send IOS VID
IP = 123.1.1.1, constructing xauth V6 VID payload
IP = 123.1.1.1, constructing Cisco Unity VID payload
IP = 123.1.1.1, constructing nonce payload
IP = 123.1.1.1, constructing ke payload
IP = 123.1.1.1, processing nonce payload
IP = 123.1.1.1, processing ISA_KE payload

Open in new window

Avatar of anoopkmr
anoopkmr
Flag of United States of America image
I hope yours is a site-to-site vpn tunnel . could you please show the configs of both VPN peers.
Avatar of Thirst4Knowledge
Thirst4Knowledge

ASKER

Yes its a site-to-site tunnel

One side is the ASA the other is a draytek 2600

I have 40 other peers with the same configs and they all work fine.  As you may know the drayteks don have configs I can show you its all gui

but there is the ASA side:


crypto map outside_map 11 set peer 123.1.1.1

access-list no-nat extended permit ip ASA-Inside Network 255.255.248.0 Remote_Office 255.255.255.0

access-list outside_cryptomap_39 extended permit ip ASA-Inside Network 255.255.248.0 Remote_Office 255.255.255.0

route outside Remote_Office 255.255.255.0 321.1.1.1 1

crypto map outside_map 39 match address outside_cryptomap_11
crypto map outside_map 39 set peer 123.1.1.1
crypto map outside_map 39 set transform-set mytransoform
crypto map outside_map 39 set security-association lifetime seconds 86400


Please let me know if you need anything else ?

Thanks
T4K
SOLUTION
Avatar of anoopkmr
anoopkmr
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Thirst4Knowledge
Thirst4Knowledge

ASKER

both sides are 86400

when you reffer to VPN concentrator are you reffering to the ASA firewall?  The only reason I ask is that there are no VPN concentrators on either side of the tunnel.

One side is a cisco ASA the other side of the tunnel is a draytek vigor 2600
ASKER CERTIFIED SOLUTION
Avatar of Thirst4Knowledge
Thirst4Knowledge
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of Thirst4Knowledge
Thirst4Knowledge
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of anoopkmr
anoopkmr
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Thirst4Knowledge
Thirst4Knowledge

ASKER

All tunnels that were displaying this behaviour have now become stable and re-initiate with no problems

it seems to be all the older draytek models that cant keep time anymore (vigor 2600)