cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3895
Views
0
Helpful
10
Replies

L2TP VPN To Private Internet Access flapping (up and down in every 30 mins)

aprathore
Level 1
Level 1

Hi All,

 

I have a very simple configuration of L2TP tunnel to a vpn providers.

 

Source is internal IP (192.168.0.X) and destination to VPN provider server.

I have done a policy based routing where only on vlan traffic goes via VPN Virtual-PPP 1 interface.

All other is going straight to my internet provider.

 

I have for all tunnel and routing working - but my interface virtual-ppp1 is flapping (UP/DOWN) in every 30 mins for 5-10 seconds. It is doing precisely after 30 mins everytime.

 

 

Some logs:

*Nov 8 22:09:22.211: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-PPP1, changed state to down
*Nov 8 22:09:26.507: Vp1 PPP: Using default call direction
*Nov 8 22:09:26.507: Vp1 PPP: Treating connection as a dedicated line
*Nov 8 22:09:26.507: Vp1 PPP: Session handle[BC000005] Session id[1]
*Nov 8 22:09:28.579: Vp1 MS-CHAP-V2: I CHALLENGE id 45 len 26 from "l2tpd"
*Nov 8 22:09:28.579: Vp1 PPP: Sent MSCHAP_V2 SENDAUTH Request
*Nov 8 22:09:28.579: Vp1 PPP: Received SENDAUTH Response FAIL
*Nov 8 22:09:28.579: Vp1 MS CHAP V2: Using hostname from interface CHAP
*Nov 8 22:09:28.579: Vp1 MS CHAP V2: Using password from interface CHAP
*Nov 8 22:09:28.579: Vp1 MS-CHAP-V2: O RESPONSE id 45 len 62 from "x6531XXX"
*Nov 8 22:09:28.691: Vp1 MS-CHAP-V2: I SUCCESS id 45 len 46 msg is "S=AAFD623651341545757AE9CACB249F853B58ACA0"
*Nov 8 22:09:28.691: Vp1 MS CHAP V2 No Password found for : l2tpd
*Nov 8 22:09:28.691: Vp1 MS CHAP V2 Check AuthenticatorResponse Success for : x653XXX
*Nov 8 22:09:28.691: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-PPP1, changed state to up

 

*Nov 8 22:05:43.815: IPSEC(lifetime_expiry): SA lifetime threshold reached, expiring in 179 seconds
*Nov 8 22:05:43.815: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 192.168.0.100:4500, remote= 46.166.188.203:4500,
local_proxy= 192.168.0.100/255.255.255.255/17/0,
remote_proxy= 46.166.188.203/255.255.255.255/17/1701,
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x3B09B975(990493045), conn_id= 0, keysize= 256, flags= 0x0
*Nov 8 22:05:43.815: ISAKMP: set new node 0 to QM_IDLE
*Nov 8 22:05:43.815: SA has outstanding requests (local 3.150.7.176 port 4500, remote 3.150.7.148 port 4500)
*Nov 8 22:05:43.815: ISAKMP:(2001): sitting IDLE. Starting QM immediately (QM_IDLE )
*Nov 8 22:05:43.815: ISAKMP:(2001):beginning Quick Mode exchange, M-ID of 1107052943
*Nov 8 22:05:43.815: ISAKMP:(2001):QM Initiator gets spi
*Nov 8 22:05:43.815: ISAKMP:(2001): sending packet to 46.166.188.203 my_port 4500 peer_port 4500 (I) QM_IDLE
*Nov 8 22:05:43.815: ISAKMP:(2001):Sending an IKE IPv4 Packet.
*Nov 8 22:05:43.815: ISAKMP:(2001):Node 1107052943, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Nov 8 22:05:43.815: ISAKMP:(2001):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Nov 8 22:05:43.839: ISAKMP (2001): received packet from 46.166.188.203 dport 4500 sport 4500 Global (I) QM_IDLE
*Nov 8 22:05:43.839: ISAKMP:(2001): processing HASH payload. message ID = 1107052943
*Nov 8 22:05:43.839: ISAKMP:(2001): processing SA payload. message ID = 1107052943
*Nov 8 22:05:43.839: ISAKMP:(2001):Checking IPSec proposal 1
*Nov 8 22:05:43.839: ISAKMP: transform 1, ESP_AES
*Nov 8 22:05:43.839: ISAKMP: attributes in transform:
*Nov 8 22:05:43.839: ISAKMP: key length is 256
*Nov 8 22:05:43.839: ISAKMP: authenticator is HMAC-SHA
*Nov 8 22:05:43.839: ISAKMP: encaps is 4 (Transport-UDP)
*Nov 8 22:05:43.839: ISAKMP: SA life type in seconds
*Nov 8 22:05:43.839: ISAKMP: SA life duration (basic) of 3600
*Nov 8 22:05:43.839: ISAKMP: SA life type in kilobytes
*Nov 8 22:05:43.839: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Nov 8 22:05:43.839: ISAKMP:(2001):atts are acceptable.
*Nov 8 22:05:43.839: IPSEC(validate_proposal_request): proposal part #1
*Nov 8 22:05:43.839: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.0.100:0, remote= 46.166.188.203:0,
local_proxy= 94.4.186.72/255.255.255.255/17/0,
remote_proxy= 46.166.188.203/255.255.255.255/17/1701,
protocol= ESP, transform= NONE (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Nov 8 22:05:43.839: Crypto mapdb : proxy_match
src addr : 192.168.0.100
dst addr : 46.166.188.203
protocol : 17
src port : 0
dst port : 1701
*Nov 8 22:05:43.839: ISAKMP:(2001): processing NONCE payload. message ID = 1107052943
*Nov 8 22:05:43.839: ISAKMP:(2001): processing ID payload. message ID = 1107052943
*Nov 8 22:05:43.839: ISAKMP:(2001): processing ID payload. message ID = 1107052943
*Nov 8 22:05:43.839: ISAKMP:received payload type 21
*Nov 8 22:05:43.839: ISAKMP:received payload type 21
*Nov 8 22:05:43.839: ISAKMP:(2001):Node 1107052943, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Nov 8 22:05:43.839: ISAKMP:(2001):Old State = IKE_QM_I_QM1 New State = IKE_QM_IPSEC_INSTALL_AWAIT
*Nov 8 22:05:43.843: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Nov 8 22:05:43.843: Crypto mapdb : proxy_match
src addr : 192.168.0.100
dst addr : 46.166.188.203
protocol : 17
src port : 0
dst port : 1701
*Nov 8 22:05:43.843: IPSEC(crypto_ipsec_create_ipsec_sas): Map found PIA_VPN
*Nov 8 22:05:43.843: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.0.100, sa_proto= 50,
sa_spi= 0xC7ACCBD2(3349990354),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 7
sa_lifetime(k/sec)= (4608000/3600)
*Nov 8 22:05:43.843: IPSEC(create_sa): sa created,
(sa) sa_dest= 46.166.188.203, sa_proto= 50,
sa_spi= 0xC8686DCD(3362287053),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 8
sa_lifetime(k/sec)= (4608000/3600)
*Nov 8 22:05:43.843: IPSEC(update_current_outbound_sa): updated peer 46.166.188.203 current outbound sa to SPI C8686DCD
*Nov 8 22:05:43.843: IPSEC: Expand action denied, notify RP
*Nov 8 22:05:43.843: ISAKMP: Failed to find peer index node to update peer_info_list
*Nov 8 22:05:43.843: ISAKMP:(2001):Received IPSec Install callback... proceeding with the negotiation
*Nov 8 22:05:43.843: ISAKMP:(2001): sending packet to 46.166.188.203 my_port 4500 peer_port 4500 (I) QM_IDLE
*Nov 8 22:05:43.843: ISAKMP:(2001):Sending an IKE IPv4 Packet.
*Nov 8 22:05:43.843: ISAKMP:(2001):deleting node 1107052943 error FALSE reason "No Error"
*Nov 8 22:05:43.843: ISAKMP:(2001):Node 1107052943, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
*Nov 8 22:05:43.843: ISAKMP:(2001):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_PHASE2_COMPLETE
*Nov 8 22:05:45.863: IPSEC(update_current_outbound_sa): updated peer 46.166.188.203 current outbound sa to SPI C8686DCD
*Nov 8 22:05:45.863: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 192.168.0.100, sa_proto= 50,
sa_spi= 0x3B09B975(990493045),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 5
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 192.168.0.100:0, remote= 46.166.188.203:0,
local_proxy= 192.168.0.100/255.255.255.255/17/0,
remote_proxy= 46.166.188.203/255.255.255.255/17/1701
*Nov 8 22:05:45.863: IPSEC(update_current_outbound_sa): updated peer 46.166.188.203 current outbound sa to SPI C8686DCD
*Nov 8 22:05:45.863: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 46.166.188.203, sa_proto= 50,
sa_spi= 0xCFEF1AFA(3488553722),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 6
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 192.168.0.100:0, remote= 46.166.188.203:0,
local_proxy= 192.168.0.100/255.255.255.255/17/0,
remote_proxy= 46.166.188.203/255.255.255.255/17/1701
*Nov 8 22:05:45.863: ISAKMP: set new node -1268993664 to QM_IDLE
*Nov 8 22:05:45.863: ISAKMP:(2001): sending packet to 46.166.188.203 my_port 4500 peer_port 4500 (I) QM_IDLE
*Nov 8 22:05:45.863: ISAKMP:(2001):Sending an IKE IPv4 Packet.
*Nov 8 22:05:45.863: ISAKMP:(2001):purging node -1268993664
*Nov 8 22:05:45.863: ISAKMP:(2001):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
*Nov 8 22:05:45.863: ISAKMP:(2001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

10 Replies 10