Cisco Rv325 VPN Tunnel
I am having issues with 4 sties. Each have 4 ipsec vpn tunnel inbetween to cross connection and application access.
But only one application is giving me an issue. The server is on Site (A) and site (B) but soon to be (A) only. Two other site (C) and (D) are VPNing in to site (A) to access the server.
When you minimize the application (which is working true a RPD connection) and work on something else, once you get back to the application there is a reconnecting issue. Takes about 2-3 mins to get the application back working.
I've been having some issue with the VPN and I am not a pro with vpn log. Can anyone help me?
2017-02-01, 08:12:08 VPN Log [g2gips0] #8461: [Tunnel Established] IPsec SA established {ESP=>0xc7488fd9 < 0xcd1b9f35}
2017-02-01, 08:12:08 VPN Log [g2gips0] #8454: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xcee3770f) not found (maybe expired)
2017-02-01, 08:15:15 VPN Log [g2gips0] #8462: [Tunnel Established] sent MR3, ISAKMP SA established
2017-02-01, 08:19:30 VPN Log [g2gips3] #8463: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0xc8dcbf5b < 0xcc9dcbd1 AH=>0xca3fff03 < 0xc2c1a9a1}
2017-02-01, 08:19:30 VPN Log [g2gips3] #8456: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xcf402c1f) not found (maybe expired)
2017-02-01, 08:19:30 VPN Log [g2gips3] #8456: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_AH SA(0xc8a48df1) not found (maybe expired)
2017-02-01, 08:22:26 VPN Log [g2gips3] #8464: [Tunnel Established] ISAKMP SA established
2017-02-01, 08:40:16 VPN Log [g2gips2] #8465: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0x0e4a3e29 < 0xcbfdf544}
2017-02-01, 08:40:16 VPN Log [g2gips2] #8458: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x768101a0) not found (maybe expired)
2017-02-01, 08:43:20 VPN Log [g2gips2] #8466: [Tunnel Established] ISAKMP SA established
2017-02-01, 09:03:39 VPN Log [g2gips1] #8467: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0xc6c148cb < 0xcebb2d2b AH=>0xca438ec0 < 0xcf8cc5e7}
2017-02-01, 09:03:39 VPN Log [g2gips1] #8460: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xc87dc05f) not found (maybe expired)
2017-02-01, 09:03:39 VPN Log [g2gips1] #8460: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_AH SA(0xc0cde995) not found (maybe expired)
2017-02-01, 09:07:31 VPN Log [g2gips1] #8468: [Tunnel Established] ISAKMP SA established
2017-02-01, 09:10:57 VPN Log [g2gips0] #8469: [Tunnel Established] IPsec SA established {ESP=>0xc9bd1e0b < 0xc4ed1730}
2017-02-01, 09:10:57 VPN Log [g2gips0] #8462: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xc7488fd9) not found (maybe expired)
2017-02-01, 09:14:18 VPN Log [g2gips0] #8470: [Tunnel Established] sent MR3, ISAKMP SA established
Any idea is those error could be the issue?
I don't see the tunnel go down and everything seems to work fine.
Thank you,
Frank
But only one application is giving me an issue. The server is on Site (A) and site (B) but soon to be (A) only. Two other site (C) and (D) are VPNing in to site (A) to access the server.
When you minimize the application (which is working true a RPD connection) and work on something else, once you get back to the application there is a reconnecting issue. Takes about 2-3 mins to get the application back working.
I've been having some issue with the VPN and I am not a pro with vpn log. Can anyone help me?
2017-02-01, 08:12:08 VPN Log [g2gips0] #8461: [Tunnel Established] IPsec SA established {ESP=>0xc7488fd9 < 0xcd1b9f35}
2017-02-01, 08:12:08 VPN Log [g2gips0] #8454: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xcee3770f) not found (maybe expired)
2017-02-01, 08:15:15 VPN Log [g2gips0] #8462: [Tunnel Established] sent MR3, ISAKMP SA established
2017-02-01, 08:19:30 VPN Log [g2gips3] #8463: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0xc8dcbf5b < 0xcc9dcbd1 AH=>0xca3fff03 < 0xc2c1a9a1}
2017-02-01, 08:19:30 VPN Log [g2gips3] #8456: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xcf402c1f) not found (maybe expired)
2017-02-01, 08:19:30 VPN Log [g2gips3] #8456: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_AH SA(0xc8a48df1) not found (maybe expired)
2017-02-01, 08:22:26 VPN Log [g2gips3] #8464: [Tunnel Established] ISAKMP SA established
2017-02-01, 08:40:16 VPN Log [g2gips2] #8465: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0x0e4a3e29 < 0xcbfdf544}
2017-02-01, 08:40:16 VPN Log [g2gips2] #8458: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x768101a0) not found (maybe expired)
2017-02-01, 08:43:20 VPN Log [g2gips2] #8466: [Tunnel Established] ISAKMP SA established
2017-02-01, 09:03:39 VPN Log [g2gips1] #8467: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0xc6c148cb < 0xcebb2d2b AH=>0xca438ec0 < 0xcf8cc5e7}
2017-02-01, 09:03:39 VPN Log [g2gips1] #8460: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xc87dc05f) not found (maybe expired)
2017-02-01, 09:03:39 VPN Log [g2gips1] #8460: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_AH SA(0xc0cde995) not found (maybe expired)
2017-02-01, 09:07:31 VPN Log [g2gips1] #8468: [Tunnel Established] ISAKMP SA established
2017-02-01, 09:10:57 VPN Log [g2gips0] #8469: [Tunnel Established] IPsec SA established {ESP=>0xc9bd1e0b < 0xc4ed1730}
2017-02-01, 09:10:57 VPN Log [g2gips0] #8462: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xc7488fd9) not found (maybe expired)
2017-02-01, 09:14:18 VPN Log [g2gips0] #8470: [Tunnel Established] sent MR3, ISAKMP SA established
Any idea is those error could be the issue?
I don't see the tunnel go down and everything seems to work fine.
Thank you,
Frank
ASKER
Description
Tunnel Number 1
Interface on Router WAN 1
Enabled
Local Gateway Type: IP Only
(External) IP address
Local Security Group type: Subnet
172.16.2.0
255.255.255.0
Remote Gateway Type: IP Only
Remote IP address or email address: I wont post this but it's external IP
Remote Security Group type: Subnet
206.xxx.43.0
255.255.255.0
Keying Mode: IKE Pre-share
Phase 1
Group 2
3DES
SHA1
3600 Sec.
PFS OFF
Phase 2
Group 2
3DES
SHA1
3600 Sec.
Pre-shared key.. not gonna show this ;)
Advanced
Keep-Alive is shecked
Dead Peer Detection Internal is set to 10 sec
That's all
When I do ping test inbetween sites.. they work fine.. maybe 2-3 timeout during the whole day. I can copy bit files over VPN and it works fine. SO for me TCP is working ok. But I don't get it.
Tunnel Number 1
Interface on Router WAN 1
Enabled
Local Gateway Type: IP Only
(External) IP address
Local Security Group type: Subnet
172.16.2.0
255.255.255.0
Remote Gateway Type: IP Only
Remote IP address or email address: I wont post this but it's external IP
Remote Security Group type: Subnet
206.xxx.43.0
255.255.255.0
Keying Mode: IKE Pre-share
Phase 1
Group 2
3DES
SHA1
3600 Sec.
PFS OFF
Phase 2
Group 2
3DES
SHA1
3600 Sec.
Pre-shared key.. not gonna show this ;)
Advanced
Keep-Alive is shecked
Dead Peer Detection Internal is set to 10 sec
That's all
When I do ping test inbetween sites.. they work fine.. maybe 2-3 timeout during the whole day. I can copy bit files over VPN and it works fine. SO for me TCP is working ok. But I don't get it.
The above looks decent.
In Advanced: Make sure Main Mode is selected NOT Aggressive. Also try NAT Traversal both ways.
In Advanced: Make sure Main Mode is selected NOT Aggressive. Also try NAT Traversal both ways.
ASKER
Ok let me try. I cannot find Main Mode but I figure that not having Aggressive checked out means Main Mode is by default?
I will come back to you.
I will come back to you.
If aggressive mode is unchecked then Main Mode will be in effect, yes.
Try NAT Traversal (although normally if this is not the correct value the tunnel will not connect)
Make sure under the Tunnel section near the top you have selected IKE with Preshared Key (not Certificate)
Try NAT Traversal (although normally if this is not the correct value the tunnel will not connect)
Make sure under the Tunnel section near the top you have selected IKE with Preshared Key (not Certificate)
ASKER
Yes IKE with Preshared key is selected.
I will try NAT and see what happens but I tough that was not needed. Will see.
Just a quick history. Two of the site that are having this issue had Active Directory install on the infrastructure with Juniper switches.
AD was removed but not all the switches got reset to default. Do you think any of this could create issues?
I am testing ping inbetween sites to see if I get drops.
But the only thing I see wrong so far is the VPN logs.
Thank you.
I will try NAT and see what happens but I tough that was not needed. Will see.
Just a quick history. Two of the site that are having this issue had Active Directory install on the infrastructure with Juniper switches.
AD was removed but not all the switches got reset to default. Do you think any of this could create issues?
I am testing ping inbetween sites to see if I get drops.
But the only thing I see wrong so far is the VPN logs.
Thank you.
ASKER
Update. So I did put all tunnels with NATting.. but the errors came back as shown below:
2017-02-03, 06:51:34 VPN Log [g2gips3] #2604: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0xfeaf966d < 0xc82685fb}
2017-02-03, 06:51:34 VPN Log [g2gips3] #2597: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x90bc585a) not found (maybe expired)
2017-02-03, 06:51:36 VPN Log packet from 24.37.203.154:500: [Tunnel Authorize Fail] no connection has been authorized with policy=PSK+PUBKEY
2017-02-03, 06:52:10 Kernel last message repeated 3 times
2017-02-03, 06:53:12 Kernel last message repeated 6 times
2017-02-03, 06:54:22 Kernel last message repeated 7 times
2017-02-03, 06:55:24 Kernel last message repeated 6 times
2017-02-03, 06:55:32 VPN Log [g2gips3] #2605: [Tunnel Established] ISAKMP SA established
2017-02-03, 06:55:34 VPN Log packet from 24.37.203.154:500: [Tunnel Authorize Fail] no connection has been authorized with policy=PSK+PUBKEY
2017-02-03, 06:56:14 Kernel last message repeated 4 times
2017-02-03, 06:57:18 Kernel last message repeated 6 times
2017-02-03, 06:58:22 Kernel last message repeated 6 times
2017-02-03, 06:58:32 VPN Log packet from 24.37.203.154:500: [Tunnel Authorize Fail] no connection has been authorized with policy=PSK+PUBKEY
2017-02-03, 06:58:36 VPN Log [g2gips0] #2606: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0xc679faf7 < 0xc49c3654}
2017-02-03, 06:58:36 VPN Log [g2gips0] #2600: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xc272432d) not found (maybe expired)
2017-02-03, 06:58:42 VPN Log packet from 24.37.203.154:500: [Tunnel Authorize Fail] no connection has been authorized with policy=PSK+PUBKEY
2017-02-03, 06:59:13 Kernel last message repeated 3 times
2017-02-03, 06:59:53 Kernel last message repeated 4 times
Maybe I forgot to mention but there is 4 tunnel per location. So each can talk to each other. So fours sites with four tunnel each.
Here is the log from the one of the other site that connects to this one:
2017-02-03, 06:52:42 [g2gips1] #8856: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0xc159a58b < 0xc2e1d470}
2017-02-03, 06:52:43 [g2gips1] #8849: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xc20b2208) not found (maybe expired)
2017-02-03, 06:55:29 [g2gips1] #8857: [Tunnel Established] ISAKMP SA established
2017-02-03, 06:55:49 [g2gips2] #8858: [Tunnel Established] ISAKMP SA established
2017-02-03, 06:57:47 [g2gips3] #8859: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0xcc45bce5 < 0xc4fcfa08}
2017-02-03, 06:57:47 [g2gips3] #8852: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xc30a202a) not found (maybe expired)
2017-02-03, 07:00:14 [g2gips3] #8860: [Tunnel Established] ISAKMP SA established
2017-02-03, 07:06:02 [g2gips2] #8861: [Tunnel Established] IPsec SA established {ESP=>0xa8353e0f < 0xc5eca0f2}
2017-02-03, 07:06:02 [g2gips2] #8858: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x55cf1009) not found (maybe expired)
2017-02-03, 07:33:55 [g2gips0] #8862: [Tunnel Established] IPsec SA established {ESP=>0xc5f15bb0 < 0xc5f386ee}
2017-02-03, 07:33:55 [g2gips0] #8854: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xc4fbf3fb) not found (maybe expired)
2017-02-03, 07:34:10 [g2gips0] #8863: [Tunnel Established] sent MR3, ISAKMP SA established
2017-02-03, 07:51:30 [g2gips1] #8864: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0xc5a961ad < 0xc29d7382}
2017-02-03, 07:51:30 [g2gips1] #8857: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xc159a58b) not found (maybe expired)
2017-02-03, 07:54:36 [g2gips1] #8865: [Tunnel Established] ISAKMP SA established
2017-02-03, 07:54:53 [g2gips2] #8866: [Tunnel Established] ISAKMP SA established
2017-02-03, 07:56:38 [g2gips3] #8867: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0xc1afff3a < 0xc92ce628}
2017-02-03, 07:56:38 [g2gips3] #8860: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xcc45bce5) not found (maybe expired)
2017-02-03, 07:59:25 [g2gips3] #8868: [Tunnel Established] ISAKMP SA established
2017-02-03, 08:01:44 [g2gips2]: cmd=down-client peer=externalIP peer_client=172.16.5.0/24 peer_client_net=172.16.5.0
2017-02-03, 08:01:44 ip route del 172.16.5.0/24 via externalIP dev eth1 metric 35
2017-02-03, 08:01:44 iptables -t nat -D vpn -s 172.16.2.0/24 -d 172.16.5.0/24 -j ACCEPT
2017-02-03, 08:01:44 iptables -t nat -D vpn -s 172.16.5.0/24 -d 172.16.2.0/24 -j ACCEPT
2017-02-03, 08:01:44 iptables -t nat -D vpn_postrouting -s 172.16.2.0/24 -d 172.16.5.0/24 -j ACCEPT
2017-02-03, 08:01:44 iptables -t nat -D vpn_postrouting -o eth0 -s 172.16.5.0/24 -d 172.16.2.0/24 -j ACCEPT
2017-02-03, 08:01:55 [g2gips2] #8869: [Tunnel Established] sent MR3, ISAKMP SA established
2017-02-03, 08:01:56 [g2gips2]: cmd=up-client peer=externalIP peer_client=172.16.5.0/24 peer_client_net=172.16.5.0
2017-02-03, 08:01:56 ip route add 172.16.5.0/24 via externalIP dev eth1 metric 35
2017-02-03, 08:01:56 iptables -t nat -I vpn -s 172.16.2.0/24 -d 172.16.5.0/24 -j ACCEPT
2017-02-03, 08:01:56 iptables -t nat -I vpn -s 172.16.5.0/24 -d 172.16.2.0/24 -j ACCEPT
2017-02-03, 08:01:56 iptables -t nat -I vpn_postrouting -s 172.16.2.0/24 -d 172.16.5.0/24 -j ACCEPT
2017-02-03, 08:01:56 iptables -t nat -I vpn_postrouting -o eth0 -s 172.16.5.0/24 -d 172.16.2.0/24 -j ACCEPT
2017-02-03, 08:01:56 [g2gips2] #8870: [Tunnel Established] IPsec SA established {ESP=>0xdd865b03 < 0xc87d0aa1}
2017-02-03, 08:32:48 [g2gips0] #8871: [Tunnel Established] IPsec SA established {ESP=>0xc1f1e7c7 < 0xcc686dab}
2017-02-03, 08:32:48 [g2gips0] #8863: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xc5f15bb0) not found (maybe expired)
2017-02-03, 08:33:16 [g2gips0] #8872: [Tunnel Established] sent MR3, ISAKMP SA established
2017-02-03, 08:50:22 [g2gips1] #8873: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0xc9d18851 < 0xce0e9368}
2017-02-03, 08:50:22 [g2gips1] #8865: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xc5a961ad) not found (maybe expired)
2017-02-03, 08:53:43 [g2gips1] #8874: [Tunnel Established] ISAKMP SA established
2017-02-03, 08:55:29 [g2gips3] #8875: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0xcfa3f426 < 0xcd34786c}
2017-02-03, 08:55:29 [g2gips3] #8868: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xc1afff3a) not found (maybe expired)
2017-02-03, 08:58:34 [g2gips3] #8876: [Tunnel Established] ISAKMP SA established
2017-02-03, 09:01:30 [g2gips2] #8877: [Tunnel Established] ISAKMP SA established
2017-02-03, 09:01:52 [g2gips2] #8878: [Tunnel Established] IPsec SA established {ESP=>0x37a53850 < 0xc5467e53}
2017-02-03, 09:01:52 [g2gips2] #8877: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xdd865b03) not found (maybe expired)
Thank you.
Frank
2017-02-03, 06:51:34 VPN Log [g2gips3] #2604: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0xfeaf966d < 0xc82685fb}
2017-02-03, 06:51:34 VPN Log [g2gips3] #2597: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x90bc585a) not found (maybe expired)
2017-02-03, 06:51:36 VPN Log packet from 24.37.203.154:500: [Tunnel Authorize Fail] no connection has been authorized with policy=PSK+PUBKEY
2017-02-03, 06:52:10 Kernel last message repeated 3 times
2017-02-03, 06:53:12 Kernel last message repeated 6 times
2017-02-03, 06:54:22 Kernel last message repeated 7 times
2017-02-03, 06:55:24 Kernel last message repeated 6 times
2017-02-03, 06:55:32 VPN Log [g2gips3] #2605: [Tunnel Established] ISAKMP SA established
2017-02-03, 06:55:34 VPN Log packet from 24.37.203.154:500: [Tunnel Authorize Fail] no connection has been authorized with policy=PSK+PUBKEY
2017-02-03, 06:56:14 Kernel last message repeated 4 times
2017-02-03, 06:57:18 Kernel last message repeated 6 times
2017-02-03, 06:58:22 Kernel last message repeated 6 times
2017-02-03, 06:58:32 VPN Log packet from 24.37.203.154:500: [Tunnel Authorize Fail] no connection has been authorized with policy=PSK+PUBKEY
2017-02-03, 06:58:36 VPN Log [g2gips0] #2606: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0xc679faf7 < 0xc49c3654}
2017-02-03, 06:58:36 VPN Log [g2gips0] #2600: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xc272432d) not found (maybe expired)
2017-02-03, 06:58:42 VPN Log packet from 24.37.203.154:500: [Tunnel Authorize Fail] no connection has been authorized with policy=PSK+PUBKEY
2017-02-03, 06:59:13 Kernel last message repeated 3 times
2017-02-03, 06:59:53 Kernel last message repeated 4 times
Maybe I forgot to mention but there is 4 tunnel per location. So each can talk to each other. So fours sites with four tunnel each.
Here is the log from the one of the other site that connects to this one:
2017-02-03, 06:52:42 [g2gips1] #8856: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0xc159a58b < 0xc2e1d470}
2017-02-03, 06:52:43 [g2gips1] #8849: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xc20b2208) not found (maybe expired)
2017-02-03, 06:55:29 [g2gips1] #8857: [Tunnel Established] ISAKMP SA established
2017-02-03, 06:55:49 [g2gips2] #8858: [Tunnel Established] ISAKMP SA established
2017-02-03, 06:57:47 [g2gips3] #8859: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0xcc45bce5 < 0xc4fcfa08}
2017-02-03, 06:57:47 [g2gips3] #8852: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xc30a202a) not found (maybe expired)
2017-02-03, 07:00:14 [g2gips3] #8860: [Tunnel Established] ISAKMP SA established
2017-02-03, 07:06:02 [g2gips2] #8861: [Tunnel Established] IPsec SA established {ESP=>0xa8353e0f < 0xc5eca0f2}
2017-02-03, 07:06:02 [g2gips2] #8858: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x55cf1009) not found (maybe expired)
2017-02-03, 07:33:55 [g2gips0] #8862: [Tunnel Established] IPsec SA established {ESP=>0xc5f15bb0 < 0xc5f386ee}
2017-02-03, 07:33:55 [g2gips0] #8854: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xc4fbf3fb) not found (maybe expired)
2017-02-03, 07:34:10 [g2gips0] #8863: [Tunnel Established] sent MR3, ISAKMP SA established
2017-02-03, 07:51:30 [g2gips1] #8864: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0xc5a961ad < 0xc29d7382}
2017-02-03, 07:51:30 [g2gips1] #8857: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xc159a58b) not found (maybe expired)
2017-02-03, 07:54:36 [g2gips1] #8865: [Tunnel Established] ISAKMP SA established
2017-02-03, 07:54:53 [g2gips2] #8866: [Tunnel Established] ISAKMP SA established
2017-02-03, 07:56:38 [g2gips3] #8867: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0xc1afff3a < 0xc92ce628}
2017-02-03, 07:56:38 [g2gips3] #8860: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xcc45bce5) not found (maybe expired)
2017-02-03, 07:59:25 [g2gips3] #8868: [Tunnel Established] ISAKMP SA established
2017-02-03, 08:01:44 [g2gips2]: cmd=down-client peer=externalIP peer_client=172.16.5.0/24 peer_client_net=172.16.5.0
2017-02-03, 08:01:44 ip route del 172.16.5.0/24 via externalIP dev eth1 metric 35
2017-02-03, 08:01:44 iptables -t nat -D vpn -s 172.16.2.0/24 -d 172.16.5.0/24 -j ACCEPT
2017-02-03, 08:01:44 iptables -t nat -D vpn -s 172.16.5.0/24 -d 172.16.2.0/24 -j ACCEPT
2017-02-03, 08:01:44 iptables -t nat -D vpn_postrouting -s 172.16.2.0/24 -d 172.16.5.0/24 -j ACCEPT
2017-02-03, 08:01:44 iptables -t nat -D vpn_postrouting -o eth0 -s 172.16.5.0/24 -d 172.16.2.0/24 -j ACCEPT
2017-02-03, 08:01:55 [g2gips2] #8869: [Tunnel Established] sent MR3, ISAKMP SA established
2017-02-03, 08:01:56 [g2gips2]: cmd=up-client peer=externalIP peer_client=172.16.5.0/24 peer_client_net=172.16.5.0
2017-02-03, 08:01:56 ip route add 172.16.5.0/24 via externalIP dev eth1 metric 35
2017-02-03, 08:01:56 iptables -t nat -I vpn -s 172.16.2.0/24 -d 172.16.5.0/24 -j ACCEPT
2017-02-03, 08:01:56 iptables -t nat -I vpn -s 172.16.5.0/24 -d 172.16.2.0/24 -j ACCEPT
2017-02-03, 08:01:56 iptables -t nat -I vpn_postrouting -s 172.16.2.0/24 -d 172.16.5.0/24 -j ACCEPT
2017-02-03, 08:01:56 iptables -t nat -I vpn_postrouting -o eth0 -s 172.16.5.0/24 -d 172.16.2.0/24 -j ACCEPT
2017-02-03, 08:01:56 [g2gips2] #8870: [Tunnel Established] IPsec SA established {ESP=>0xdd865b03 < 0xc87d0aa1}
2017-02-03, 08:32:48 [g2gips0] #8871: [Tunnel Established] IPsec SA established {ESP=>0xc1f1e7c7 < 0xcc686dab}
2017-02-03, 08:32:48 [g2gips0] #8863: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xc5f15bb0) not found (maybe expired)
2017-02-03, 08:33:16 [g2gips0] #8872: [Tunnel Established] sent MR3, ISAKMP SA established
2017-02-03, 08:50:22 [g2gips1] #8873: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0xc9d18851 < 0xce0e9368}
2017-02-03, 08:50:22 [g2gips1] #8865: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xc5a961ad) not found (maybe expired)
2017-02-03, 08:53:43 [g2gips1] #8874: [Tunnel Established] ISAKMP SA established
2017-02-03, 08:55:29 [g2gips3] #8875: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0xcfa3f426 < 0xcd34786c}
2017-02-03, 08:55:29 [g2gips3] #8868: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xc1afff3a) not found (maybe expired)
2017-02-03, 08:58:34 [g2gips3] #8876: [Tunnel Established] ISAKMP SA established
2017-02-03, 09:01:30 [g2gips2] #8877: [Tunnel Established] ISAKMP SA established
2017-02-03, 09:01:52 [g2gips2] #8878: [Tunnel Established] IPsec SA established {ESP=>0x37a53850 < 0xc5467e53}
2017-02-03, 09:01:52 [g2gips2] #8877: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xdd865b03) not found (maybe expired)
Thank you.
Frank
You connect so the parameters appear to be correct.
Maybe I forgot to mention but there is 4 tunnel per location. <-- Make sure subnets are all unique or at least not interfering.
Also update the firmware on the RV325. There is a recent firmware update for it.
Maybe I forgot to mention but there is 4 tunnel per location. <-- Make sure subnets are all unique or at least not interfering.
Also update the firmware on the RV325. There is a recent firmware update for it.
ASKER
All tunnels are on a different subnet... 72.16.2. 172.16.4 172.16.5 172.21....
I am checking for the firmware... stay tuned.
I am checking for the firmware... stay tuned.
ASKER
OK it's on the latest firmware.
So now you need to check:
1. Modem and networking that the Modem, ISP, firewall, and networking are not interfering with packets.
2. The setup at the other end mirrors this end. Watch for Main Mode, Keep Alive and Dead Peer Detect and all other.
1. Modem and networking that the Modem, ISP, firewall, and networking are not interfering with packets.
2. The setup at the other end mirrors this end. Watch for Main Mode, Keep Alive and Dead Peer Detect and all other.
ASKER
OK will do.. I'll get back to you.. if you have any suggestions please feel free.
Thx.
Thx.
ASKER
I noticed some ping timeouts when I did some test in-between the sites. On days that the staff is working it occurs about 5-6 times a day and a maximum of 3 sec timeout.
I do not seem anyone complaining about the tunnel dropping. But do you think those timeout could interrupt the TCP connection? Enough to drop a RDP sessions from Microsoft? I am looking what's the maximum allow time for a RDP before it drops.
I know there is auto-correction at the packet level but I'm am puzzled to see if this is related to the tunnels or something else on the network.
Those sites were obtain and they were manage by another company before. It's running on Juniper switches. Those were never reset. Maybe I should do that to eliminate anything at the layer 1 and 2 level??
Thank you...
I do not seem anyone complaining about the tunnel dropping. But do you think those timeout could interrupt the TCP connection? Enough to drop a RDP sessions from Microsoft? I am looking what's the maximum allow time for a RDP before it drops.
I know there is auto-correction at the packet level but I'm am puzzled to see if this is related to the tunnels or something else on the network.
Those sites were obtain and they were manage by another company before. It's running on Juniper switches. Those were never reset. Maybe I should do that to eliminate anything at the layer 1 and 2 level??
Thank you...
Yes, try resetting the Juniper gear. We use Juniper Netscreen at clients and my Cisco RV325 tunnels are happy with them.
ASKER
Well no luck with resetting all the switches.
Do you know how I can fix those VPN log issues? I can't find what they are about.
Thx
Do you know how I can fix those VPN log issues? I can't find what they are about.
Thx
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Can you post the configuration basics?
Here is what you need to post
Description
Tunnel Number 5
Interface on Router WAN 1
Enabled
Local Gateway Type: IP Only
(External) IP address
Local Security Group type: Subnet
192.168.000.0
255.255.255.0
Remote Gateway Type: Dyn IP + Email (or what you need) (or site to site value)
Remote IP address or email address (these two are likely IP for you)
Remote Security Group type: Subnet
192.168.222.0
255.255.255.0
Keying Mode: IKE Pre-share
Phase 1
Group 2
3DES
SHA1
28800 Sec.
PFS OFF
Phase 2
Group 2
3DES
SHA1
3600 Sec.
Pre-shared key
Advanced
Main Mode (for site to site)
Compress OFF
Keep Alive ON Default
AH Hash (MD5) I have OFF
NetBIOS OFF
Nat Traversal ON or OFF whichever works