ASA5510 : dynamic vpn problem

Thotsaphon Lueangwattanaphong — Mon, 11 Mar 2019 14:06:53 GMT

hi all,

I'm using ASA5510 and Zyxel routers to do site-to-site vpn. Because all of Zyxel routers are using ADSL(dynamic IP address). I decided to use dynamic vpn on the ASA. The serious problem is that when the tunnels have been built and then some tunnel will be brought down . I tried to debug. The messages are as follows:

Oct 29 13:27:16 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x62b09b4d

Oct 29 13:27:16 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE RECEIVED Message (msgid=ee723a0d) with payloads : HDR + HASH (8) + DELETE (1

2) + NONE (0) total length : 76

Oct 29 13:27:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, processing hash payload

Oct 29 13:27:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, processing delete

Oct 29 13:27:16 [IKEv1]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, Connection terminated for peer DefaultL2LGroup. Reason: Peer

Terminate Remote Proxy N/A, Local Proxy N/A

Oct 29 13:27:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, sending delete/delete with reason message

Oct 29 13:27:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, constructing blank hash payload

Oct 29 13:27:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, constructing IPSec delete payload

Oct 29 13:27:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, constructing qm hash payload

Oct 29 13:27:16 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE SENDING Message (msgid=507e92d8) with payloads : HDR + HASH (8) + DELETE (12

) + NONE (0) total length : 64

Oct 29 13:27:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, Active unit receives a delete event for remote peer xx.xx.xx.xx

Oct 29 13:27:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, IKE Deleting SA: Remote Proxy 192.3.11.0, Local Proxy 17

2.16.0.0

Oct 29 13:27:16 [IKEv1]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, Deleting static route for L2L peer that came in on a dynamic m

ap. address: 192.3.11.0, mask: 255.255.255.0

I'm not sure why the Zyxel sent the delete message to the ASA. Then ASA processes that message. As a result, The tunnel has to be re-built.

It always happens. Normally, it should not be a problem as long as the tunnel is still up and packets are being passed through the tunnel.

Please help.

Rgds

Toshi

Re: ASA5510 : dynamic vpn problem

Thotsaphon Lueangwattanaphong — Mon, 03 Nov 2008 15:46:28 GMT

hi again,

I just changed from ASA to ISR router(IOS Sec). Router did okay although it got lots of error messages. The tunnel is still up though.

F.e. Router Error.

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=y.y.y.y, prot=50, spi=0x28DA0254(685376084), srcaddr=x.x.x.x

I configured as this link,http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

Any idea?

Thanks in advance

Toshi

topic ASA5510 : dynamic vpn problem in Network Security

ASA5510 : dynamic vpn problem

Re: ASA5510 : dynamic vpn problem