08-05-2013 06:30 AM
Hi,
I have a customer with a Windows Server with a public IP on the interface. I configured connection security rules to have IPSec connectivity.
It works for the current ISP's routers they have at their premise. But we are changing ISP and need our own equipment.
So I have an ISA550W. It's WAN interface has a private IP with the new provider. But NAT-T should solve that.
I can't get it to work unfortunately. When I assign a public IP to the WAN interface it works, but that's only for testing, I can't keep it.
I can confirm the ISP's router is configured correctly as I have an old RVS4000 configured with same private IP and that one works with NAT-T.
But it's not a stable appliance. Pinging works days long, but once the customer starts increasing traffic the device resets.
Thats why I bought the ISA550W.
But the VPN connects/disconnects every second actually... It has the latest FW as I read there was an issue with NAT-T in earlier versions.
I attached a log but changed the WAN IP to 1.2.3.4
In short: I pasted the part that repeats here:
2013-08-05 12:10:16 - Warning - IPsec VPN: msg="OVH"[1] 1.2.3.4 #131: received and ignored informational message; (pluto)
2013-08-05 12:10:16 - Warning - IPsec VPN: msg="OVH"[1] 1.2.3.4 #131: received Delete SA(0x9e3eb75e) payload: deleting IPSEC State #735; (pluto)
2013-08-05 12:10:16 - Warning - IPsec VPN: msg="OVH"[1] 1.2.3.4 #131: receive delete state Tunnel1 999 735; (pluto)
2013-08-05 12:10:16 - Warning - IPsec VPN: msg="OVH"[1] 1.2.3.4 #736: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x0486514b <0xa6aab2d0 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=1.2.3.4:4500 DPD=none}; (pluto)
2013-08-05 12:10:15 - Info - IPsec VPN: msg="OVH"[1] 1.2.3.4 #736: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2; (pluto)
2013-08-05 12:10:15 - Info - IPsec VPN: msg="OVH"[1] 1.2.3.4 #736: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it; (pluto)
2013-08-05 12:10:15 - Warning - IPsec VPN: msg="OVH"[1] 1.2.3.4 #736: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2; (pluto)
2013-08-05 12:10:15 - Info - IPsec VPN: msg="OVH"[1] 1.2.3.4 #736: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1; (pluto)
2013-08-05 12:10:15 - Info - IPsec VPN: msg="OVH"[1] 1.2.3.4 #736: [setup_half_ipsec_sa:1908] c->name(Tunnel1), d1(1.2.3.4/32), instance_serial (1), s1(192.168.75.0/24)...; (pluto)
2013-08-05 12:10:15 - Info - IPsec VPN: msg="OVH"[1] 1.2.3.4 #736: keeping refhim=387 during rekey; (pluto)
2013-08-05 12:10:15 - Info - IPsec VPN: msg="OVH"[1] 1.2.3.4 #736: them: 1.2.3.4[+S=C]===1.2.3.4/32; (pluto)
2013-08-05 12:10:15 - Info - IPsec VPN: msg="OVH"[1] 1.2.3.4 #736: us: 192.168.75.0/24===192.168.20.15<192.168.20.15>[192.168.75.0,+S=C]---192.168.20.14; (pluto)
2013-08-05 12:10:15 - Info - IPsec VPN: msg="OVH"[1] 1.2.3.4 #736: responding to Quick Mode proposal {msgid:5d020000}; (pluto)
2013-08-05 12:10:15 - Info - IPsec VPN: msg="OVH"[1] 1.2.3.4 #736: the peer proposed: 192.168.75.0/24:0/0 -> 1.2.3.4/32:0/0; (pluto)
2013-08-05 12:10:15 - Info - IPsec VPN: msg="OVH"[1] 1.2.3.4 #131: the peer proposed: 192.168.75.0/24:0/0 -> 1.2.3.4/32:0/0; (pluto)
2013-08-05 12:10:15 - Warning - IPsec VPN: msg="OVH"[1] 1.2.3.4 #131: received and ignored informational message; (pluto)
2013-08-05 12:10:15 - Warning - IPsec VPN: msg="OVH"[1] 1.2.3.4 #131: received Delete SA(0x9bb14591) payload: deleting IPSEC State #734; (pluto)
2013-08-05 12:10:15 - Warning - IPsec VPN: msg="OVH"[1] 1.2.3.4 #131: receive delete state Tunnel1 999 734; (pluto)
2013-08-05 12:10:15 - Warning - IPsec VPN: msg="OVH"[1] 1.2.3.4 #735: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x9e3eb75e <0xa6aab2cf xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=1.2.3.4:4500 DPD=none}; (pluto)
2013-08-05 12:10:15 - Info - IPsec VPN: msg="OVH"[1] 1.2.3.4 #735: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2; (pluto)
I know it can work as the RVS4000 kept the IPSec tunnel stable when only pinging.
Anyone here who can help me troubleshoot? In a way it can't be the server as it works with the RVS4000.
There is a ping running continously on the server to the LAN interface of the Cisco.
thank you!
best regards
David
08-05-2013 12:12 PM
Update: In a way it's a Windows Server 2008r2 problem: Identical config with NAT + Server 2012 works.
So I opened a forum post here: http://social.technet.microsoft.com/Forums/en-US/d245fd0e-b6a5-4a39-9257-5445c4c9ada1/windows-firewall-with-advanced-security-ipsec-bug
But it's also a Cisco issue as identical config with Server 2008r2 and Linksys appliance: works...
So I think they need to work together on this one I think.
Microsoft would say it's a Cisco issue as the Linksys works, and Cisco would say it's a Microsoft issue as Cisco <=> Server 2012 with NAT works...
06-06-2014 02:04 PM
David,
Did you find out anything? I have this same issue, no warning, debug shows nothing but that it received a message to disconnect. Happens quite often. Not working for offsite backups at all. Did you get any help?I do not have any NAT going on, just the tunnel.
Thanks,
Tom
06-23-2014 04:41 AM
Hi Tom sorry for the late reply. I'm afraid I can't give you anymore info as it started working perfectly without NAT and with this hotfix from the other discussion: http://support.microsoft.com/kb/2523881/en-us
best regards
David
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide