Cisco RV320 VPN Connection

Sir,

Im trying to connect our 2 cisco rv320 vpn router but im always geting an error,

[g2gips0]#7: [Tunnel Authorize Fail] malformed payload in packet

already follow the manual for Gateway to Gateway set up

may setup

               Cisco A                                                                              Cisco B
 static local IP--static IP WAN IP ------ web ------ static IP WAN IP --- static local IP

192.168.1.1/24 - - - -122.52.0.0------web--------203.177.0.0 - - - - 192.168.3.1/24

I use keying mode: IKE with Certificate

Hoping you can help me to resolve the error.

Thank you in advance
Ray ValenciaIT AdministratorAsked:
Who is Participating?
 
JohnBusiness Consultant (Owner)Commented:
In your setup:

1. Check your certificates - I cannot do that. Or, can you try without a certificate. I do not certificates on my setup.
2. Try turning PFS OFF (unselect it) I have never needed to use this.  If you do wish to maintain it, use DH Group 2.
3. Check in Advanced settings that MAIN mode is used (Not Aggressive).
4.. In Advanced settings, try toggling NAT Traversal On and Off.
0
 
JohnBusiness Consultant (Owner)Commented:
The first thing to do is enable logging on both units (both ends). Attempt to create a tunnel, look at the logs and determine where the tunnel is failing.

I have site to site (gateway to gateway) tunnels on my RV325 VPN router. They work fine, so there is probably a set up issue. Most set up issues just cause the tunnel not to connect. Malformed packets is another error.
0
 
Rob WilliamsCommented:
Your public IP's appear to be in the Philippines.  Some Asian countries block protocols required to establish an IPsec connection.  I don't know about the Philippines, but countries to your west and north certainly do.  Might that be a possibility.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
Ray ValenciaIT AdministratorAuthor Commented:
Sir John

can you check my setup for SITE A and SITE B

the error i got in the logs is

"kernel: wrong ip[0], not_list[0]"
vpn.xlsx
0
 
Ray ValenciaIT AdministratorAuthor Commented:
Hi sir Rob


Currently im asking to our ISP here in the Philippines about the IPsec Protocol Blocking.

Waiting for there respond
0
 
Ray ValenciaIT AdministratorAuthor Commented:
Sir John

Many Thanks to your advise it works...

Thank you so much...
0
 
Ray ValenciaIT AdministratorAuthor Commented:
Sir John

may VPN connection are already running i can ping the gateway of every SITE

but i cannot access our server in SITE B
0
 
JohnBusiness Consultant (Owner)Commented:
Is the server included in the IP Range of the VPN connection?

Did you try NAT Traversal on and off (both ends)?

What do you see for traffic in the logs?

Can you map a server drive by IP Address?  DNS problem if you can.
0
 
Ray ValenciaIT AdministratorAuthor Commented:
Hi Sir John

Sorry for the long response,

Already Try NAT Traversal On / Off both ends, but still i cant locate our server niether i can ping the ip,

I can only ping the Gateway of the other side but cannot open any shared folder in the network.
0
 
JohnBusiness Consultant (Owner)Commented:
Look at these settings (need to adjust for each end)

Description
Tunnel Number 5
Interface on Router WAN 1
Enabled

Local Gateway Type: IP Only
(External) IP address
Local Security Group type: Subnet
192.168.000.0
255.255.255.0

Remote Gateway Type: Dyn IP + Email  (or what you need)
Remote IP address or email address  (these two are likely IP for you)
Remote Security Group type: Subnet
192.168.222.0
255.255.255.0

Keying Mode: IKE Pre-share
Phase 1
Group 2
3DES
SHA1
28800 Sec.
PFS OFF

Phase 2
Group 2
3DES
SHA1
3600 Sec.
Pre-shared key

Advanced
Main Mode (for site to site)
Compress OFF
Keep Alive ON Default
AH Hash (MD5) I have OFF
NetBIOS OFF
Nat Traversal ON or OFF whichever works
0
 
Ray ValenciaIT AdministratorAuthor Commented:
Hi Sir John,

Sorry for late respond on your reply, about the setting you gave for the first time i set it to the Cisco rv320, it work fine for a couple of days until  some error occur. see Log Details below,

2016-11-02, 09:36:30      VPN Log      [g2gips0]: [Tunnel Disconnected]
2016-11-02, 09:08:54      VPN Log      [g2gips0]: [Tunnel Disconnected]
2016-11-02, 09:04:08      VPN Log      packet from 216.218.206.106:59955: [Tunnel Authorize Fail] no connection has been authorized
2016-11-02, 08:26:16      VPN Log      [g2gips0]: [Tunnel Disconnected]
2016-11-01, 09:59:31      VPN Log      packet from 216.218.206.114:43940: [Tunnel Authorize Fail] no connection has been authorized
2016-10-31, 09:32:37      VPN Log      packet from 216.218.206.114:13581: [Tunnel Authorize Fail] no connection has been authorized
2016-10-31, 06:33:46      VPN Log      [g2gips0]: [Tunnel Disconnected]
2016-10-30, 08:53:38      VPN Log      packet from 216.218.206.122:57900: [Tunnel Authorize Fail] no connection has been authorized
2016-10-29, 15:36:55      VPN Log      packet from 163.172.129.15:500: [Tunnel Authorize Fail] no connection has been authorized with policy=PSK
2016-10-29, 14:32:45      VPN Log      [g2gips0]: [Tunnel Disconnected]
2016-10-29, 13:36:24      VPN Log      iptables -t nat -D vpn_postrouting -o eth0 -s 192.168.5.0/24 -d 192.168.0.0/24 -j ACCEPT
2016-10-29, 13:36:24      VPN Log      iptables -t nat -D vpn_postrouting -s 192.168.0.0/24 -d 192.168.5.0/24 -j ACCEPT
2016-10-29, 13:36:24      VPN Log      iptables -t nat -D vpn -s 192.168.5.0/24 -d 192.168.0.0/24 -j ACCEPT
2016-10-29, 13:36:24      VPN Log      iptables -t nat -D vpn -s 192.168.0.0/24 -d 192.168.5.0/24 -j ACCEPT
2016-10-29, 13:36:24      VPN Log      ip route del 192.168.5.0/24 via 121.58.212.129 dev eth1 metric 35
2016-10-29, 13:36:24      VPN Log      [g2gips0]: cmd=down-client peer=210.4.107.98 peer_client=192.168.5.0/24 peer_client_net=192.168.5.0 peer_client_mask=255.255.255.0
2016-10-29, 13:09:43      VPN Log      [g2gips0] #830: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xca43badb) not found (maybe expired)
2016-10-29, 13:09:43      VPN Log      [g2gips0] #833: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0xcf6b7a0b < 0xc188a0c5}
2016-10-29, 12:10:58      VPN Log      [g2gips0] #830: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xc8735928) not found (maybe expired)
2016-10-29, 12:10:58      VPN Log      [g2gips0] #832: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0xca43badb < 0xca08e424}
2016-10-29, 11:12:06      VPN Log      [g2gips0] #830: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xc4745ff8) not found (maybe expired)

Hoping that you can help me again about this problem.

Thank you
0
 
JohnBusiness Consultant (Owner)Commented:
It appears to be Phase 1 or possibly NAT Traversal errors.
0
 
Ray ValenciaIT AdministratorAuthor Commented:
What should i do sir to resolve the problem
0
 
JohnBusiness Consultant (Owner)Commented:
Double check the Phase settings (match to each other and at both ends). Try NAT Traversal both ways.
0
 
Ray ValenciaIT AdministratorAuthor Commented:
sir already re Do the setup but still cannot connect may 2 cisco rv320,is there any other way to fix the problem?
0
 
Ray ValenciaIT AdministratorAuthor Commented:
sir can i ask if what is the meaning of the Logs Details Below

2016-11-02, 10:45:33      Kernel      last message repeated 3 times
2016-11-02, 10:44:13      VPN Log      packet from 121.58.199.94:500: [Tunnel Authorize Fail] no connection has been authorized with policy=PSK
2016-11-02, 10:43:33      Kernel      last message repeated 2 times
2016-11-02, 10:43:03      VPN Log      packet from 121.58.199.94:500: [Tunnel Authorize Fail] no connection has been authorized with policy=PSK
2016-11-02, 10:42:42      VPN Log      [g2gips0]: [Tunnel Disconnected]
2016-11-02, 10:42:14      VPN Log      packet from 121.58.199.94:500: [Tunnel Authorize Fail] no connection has been authorized with policy=PSK
2016-11-02, 10:41:34      Kernel      last message repeated 3 times
2016-11-02, 10:40:13      VPN Log      packet from 121.58.199.94:500: [Tunnel Authorize Fail] no connection has been authorized with policy=PSK
2016-11-02, 10:39:33      Kernel      last message repeated 3 times
2016-11-02, 10:38:13      VPN Log      packet from 121.58.199.94:500: [Tunnel Authorize Fail] no connection has been authorized with policy=PSK
2016-11-02, 10:37:33      Kernel      last message repeated 3 times
2016-11-02, 10:36:13      VPN Log      packet from 121.58.199.94:500: [Tunnel Authorize Fail] no connection has been authorized with policy=PSK
2016-11-02, 10:35:33      Kernel      last message repeated 3 times
0
 
JohnBusiness Consultant (Owner)Commented:
Here is a working site-to-site setup on a Cisco RV325 (same box as yours)

Name
1
WAN 1


Local Gateway type IP Only
Local IP Address  x.y.z.t
Local IP Security Group Subnet
192.168.100.0
255.255.255.0

Remote Gateway type IP Only
Remote IP Address x.m.n.p
Remote IP Security Group Subnet
192.168.1.0
255.255.255.0

IKE Pre-share
Group 2
3DES
SHA1
28800 Sec.
PFS no
Group 2
3DES
SHA1
3600 Sec.

Aggressive no (site to site = Main)
Keep Alive yes or no
NAT Traversal yes or no
Dead Peer Detect Yes 10 seconds


Mirror this at the other end.
0
 
Ray ValenciaIT AdministratorAuthor Commented:
sir john,

should i restart the cisco vpn router, i already set up the setting you gave but still it doesn't work
0
 
JohnBusiness Consultant (Owner)Commented:
Yes you should restart the router. If you have the configuration well documented, you can reset the router to factory settings and set it up again.

Another thing to check is firmware. The firmware for that router is RV32X_v1.3.1.12_20160427-code on the Cisco site.
0
 
Ray ValenciaIT AdministratorAuthor Commented:
the firm ware for the to rv320  are already updated to its latest version..
0
 
Ray ValenciaIT AdministratorAuthor Commented:
Hi sir John,

Need your usual expertise about the Cisco RV320 / 325 VPN router

I have problem about the VPN connection, im getting the error notification below.

[Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xccb797a8) not found (maybe expired)

My VPN connection now is not working because of this problem.

Hoping that you can give me any solution to resolve this problem.

Thank you sir
0
 
JohnBusiness Consultant (Owner)Commented:
[Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xccb797a8) not found (maybe expired)

Please look at this Cisco forum article.

https://supportforums.cisco.com/discussion/12468861/rv320-vpn-connection-ignoring-delete-sa-payload-protoipsecesp-sa

Also, try increasing the SA Lifetime variables a bit for each Phase. 28800 is default for Phase 1 and 3600 is default for Phase 2.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.