04-19-2012 12:29 PM
I have a RV082 that has an issue keeping an IPSEC Gateway to Gateway VPN running from itself to our ASA 5510.
At 8 hours of connectivity (I can almost set a clock to it) the Tunnel will say it is connected on the RV082 but on the ASA 5510 the tunnel is not up.
If I click on disconnect on the RV082 under the VPN Summary page things will come back up. from the ASA 5510 side there is nothing I can do to get things back (ping inside "vpn network" or even trying to make a connection to a networked VPN machine).
To make things more complicated I have another VPN on the RV082 to a PIX 506e that works with no issues. I also have another RV082 at another location with the same settings that keeps its tunnel with the ASA 5510 with out any issue.
Some things I have tried to try and fix the issue are:
I upgrade the firmware on the Rv082 V3 from 4.0.0.7-tm (what it was shipped with) to 4.1.1.01-sp) - This seemed to have no effect.
on the RV082 I have changed the MTU from automatic to 1428 and 1452 - all this does is make the connection to the PIX 506e unstable like it is for the ASA 5510 I have changed this back to automatic.
since the time of stability seems to be 8 hours I have changed the "Phase 1 SA life time" and "Phase 2 SA life time" to 28800 both at the same time and individually - This seemed to have no effect.
The current configuration on the RV082 are:
Local security gateway type: IP Only
IP address: (local ISP provided static IP address)
Local security group type: subnet
IP address: 192.168.30.0
subnetmask: 255.255.255.0
Remote security gateway type: IP only
IP address: Remote address provided by ISP
Remote Security type: Subnet
IP address: 192.168.26.0
subnet mask: 255.255.255.0
Keying mode: IKE with Preshared key
Phase 1 DH Group: Group 2 - 1024 bit
Phase 1 Encryption: 3DES
Phase 1 Authorentication: MD5
PHase 1 SA Life Time: 86400
Perfect forward secrecy: is not checked.
Phase 2 DH Group: Group 2 - 1024 bit
Phase 2 Encryption: 3DES
phase 2 Authentication: MD5
Phase 2 SA Life Time: 86400
Preshared key: <shared-key>
Minimum Preshared Key Complexity: is checked
Preshared Key Strength meter: goes to 2 green boxes.
advanced setting nothing is set up.
ASA IPSEC related settings for this VPN:
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df inside
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map internet_map 7 match address internet_cryptomap_7
crypto map internet_map 7 set peer (Static_IP_ADDRESS)
crypto map internet_map 7 set transform-set ESP-3DES-MD5
crypto map internet_map 7 set reverse-route
crypto isakmp enable internet
crypto isakmp policy 4
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group (Static_IP_ADDRESS) type ipsec-l2l
tunnel-group (Static_IP_ADDRESS) ipsec-attributes
pre-shared-key <shared-key>
thanks in advance.
04-25-2012 12:28 PM
And I spoke to soon. the routers at about 15 hours uptime the tunnel colapsed.
I didn't have time to grab any of the ASA information.
but here is the log from the RV082
Apr 25 04:34:03 2012 VPN Log (g2gips0) #2134: [Tunnel Negotiation Info] Main Mode Phase 1 SA Established
Apr 25 04:34:03 2012 VPN Log (g2gips0) #2134: [Tunnel Negotiation Info] Main Mode Phase 1 SA Established
Apr 25 04:34:03 2012 VPN Log (g2gips0) #2134: ISAKMP SA established
Apr 25 04:34:23 2012 VPN Log (g2gips0) #2126: received Delete SA(0x5d1033a3) payload: deleting IPSEC State #2127
Apr 25 04:34:23 2012 VPN Log (g2gips0) #2126: received Delete SA(0x5d1033a3) payload: deleting IPSEC State #2127
Apr 25 08:22:50 2012 System Log HTTP Basic authentication success for user: admin
Apr 25 12:12:48 2012 System Log HTTP Basic authentication success for user: admin
Apr 25 12:13:02 2012 VPN Log (g2gips1): terminating SAs using this connection
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2132: deleting state (STATE_QUICK_I2)
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2130: deleting state (STATE_MAIN_R3)
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2135: initiating Main Mode
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2135: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2135: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2135: ignoring Vendor ID payload [4048b7d56ebce88525e7de7f00d6c2d3c0000000]
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2135: ignoring Vendor ID payload [4048b7d56ebce88525e7de7f00d6c2d3c0000000]
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2135: [Tunnel Negotiation Info] <<< Initiator Received Main Mode 2nd packet
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2135: [Tunnel Negotiation Info] <<< Initiator Received Main Mode 2nd packet
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2135: [Tunnel Negotiation Info] >>> Initiator send Main Mode 3rd packet
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2135: [Tunnel Negotiation Info] >>> Initiator send Main Mode 3rd packet
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2135: ignoring Vendor ID payload [Cisco-Unity]
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2135: ignoring Vendor ID payload [Cisco-Unity]
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2135: ignoring Vendor ID payload [XAUTH]
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2135: ignoring Vendor ID payload [XAUTH]
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2135: ignoring Vendor ID payload [7e420be1beab43a69ad733fc7575fa04]
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2135: ignoring Vendor ID payload [7e420be1beab43a69ad733fc7575fa04]
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2135: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2135: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2135: [Tunnel Negotiation Info] <<< Initiator Received Main Mode 4th packet
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2135: [Tunnel Negotiation Info] <<< Initiator Received Main Mode 4th packet
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2135: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 5th packet
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2135: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 5th packet
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2135: received Vendor ID payload [Dead Peer Detection]
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2135: received Vendor ID payload [Dead Peer Detection]
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2135: [Tunnel Negotiation Info] >>> Initiator Receive Main Mode 6th packet
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2135: [Tunnel Negotiation Info] >>> Initiator Receive Main Mode 6th packet
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2135: Peer ID is ID_IPV4_ADDR: '
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2135: [Tunnel Negotiation Info] Main Mode Phase 1 SA Established
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2135: [Tunnel Negotiation Info] Main Mode Phase 1 SA Established
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2135: ISAKMP SA established
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2136: initiating Quick Mode PSK+ENCRYPT+TUNNEL {using isakmp#2135}
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2136: [Tunnel Negotiation Info] >>> Initiator send Quick Mode 1st packet
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2136: [Tunnel Negotiation Info] >>> Initiator send Quick Mode 1st packet
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2136: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2136: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2136: [Tunnel Negotiation Info] <<< Initiator Received Quick Mode 2nd packet
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2136: [Tunnel Negotiation Info] <<< Initiator Received Quick Mode 2nd packet
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2136: esp_ealg_id=3-3,esp_ealg_keylen=0, key_len=192,esp_aalg_id=1-1.
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2136: esp_ealg_id=3-3,esp_ealg_keylen=0, key_len=192,esp_aalg_id=1-1.
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2136: [Tunnel Negotiation Info] Inbound SPI value = a3811a38
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2136: [Tunnel Negotiation Info] Inbound SPI value = a3811a38
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2136: [Tunnel Negotiation Info] Outbound SPI value = b68751cd
Apr 25 12:13:02 2012 VPN Log (g2gips1) #2136: [Tunnel Negotiation Info] Outbound SPI value = b68751cd
Apr 25 12:13:03 2012 VPN Log (g2gips1) #2136: [Tunnel Negotiation Info] >>> Initiator Send Quick Mode 3rd packet
Apr 25 12:13:03 2012 VPN Log (g2gips1) #2136: [Tunnel Negotiation Info] >>> Initiator Send Quick Mode 3rd packet
Apr 25 12:13:03 2012 VPN Log (g2gips1) #2136: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
Apr 25 12:13:03 2012 VPN Log (g2gips1) #2136: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
Apr 25 12:13:03 2012 VPN Log (g2gips1) #2136: sent QI2, IPsec SA established {ESP=>0xb68751cd <0xa3811a38
Apr 25 12:13:03 2012 VPN Log (g2gips1) #2137: initiating Quick Mode PSK+ENCRYPT+TUNNEL {using isakmp#2135}
Apr 25 12:13:03 2012 VPN Log (g2gips1) #2137: [Tunnel Negotiation Info] >>> Initiator send Quick Mode 1st packet
Apr 25 12:13:03 2012 VPN Log (g2gips1) #2137: [Tunnel Negotiation Info] >>> Initiator send Quick Mode 1st packet
Apr 25 12:13:03 2012 VPN Log (g2gips1) #2137: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
Apr 25 12:13:03 2012 VPN Log (g2gips1) #2137: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
Apr 25 12:13:03 2012 VPN Log (g2gips1) #2137: [Tunnel Negotiation Info] <<< Initiator Received Quick Mode 2nd packet
Apr 25 12:13:03 2012 VPN Log (g2gips1) #2137: [Tunnel Negotiation Info] <<< Initiator Received Quick Mode 2nd packet
Apr 25 12:13:03 2012 VPN Log (g2gips1) #2137: esp_ealg_id=3-3,esp_ealg_keylen=0, key_len=192,esp_aalg_id=1-1.
Apr 25 12:13:03 2012 VPN Log (g2gips1) #2137: esp_ealg_id=3-3,esp_ealg_keylen=0, key_len=192,esp_aalg_id=1-1.
Apr 25 12:13:03 2012 VPN Log (g2gips1) #2137: [Tunnel Negotiation Info] Inbound SPI value = 405d2a04
Apr 25 12:13:03 2012 VPN Log (g2gips1) #2137: [Tunnel Negotiation Info] Inbound SPI value = 405d2a04
Apr 25 12:13:03 2012 VPN Log (g2gips1) #2137: [Tunnel Negotiation Info] Outbound SPI value = d64d6af1
Apr 25 12:13:03 2012 VPN Log (g2gips1) #2137: [Tunnel Negotiation Info] Outbound SPI value = d64d6af1
Apr 25 12:13:03 2012 VPN Log (g2gips1) #2137: [Tunnel Negotiation Info] >>> Initiator Send Quick Mode 3rd packet
Apr 25 12:13:03 2012 VPN Log (g2gips1) #2137: [Tunnel Negotiation Info] >>> Initiator Send Quick Mode 3rd packet
Apr 25 12:13:03 2012 VPN Log (g2gips1) #2137: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
Apr 25 12:13:03 2012 VPN Log (g2gips1) #2137: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
Apr 25 12:13:03 2012 VPN Log (g2gips1) #2137: sent QI2, IPsec SA established {ESP=>0xd64d6af1 <0x405d2a04
Apr 25 12:13:04 2012 VPN Log (g2gips1) #2135: received Delete SA(0xb68751cd) payload: deleting IPSEC State #2136
Apr 25 12:13:04 2012 VPN Log (g2gips1) #2135: received Delete SA(0xb68751cd) payload: deleting IPSEC State #2136
Apr 25 12:13:08 2012 VPN Log packet from
Apr 25 12:13:08 2012 VPN Log packet from
Apr 25 12:13:08 2012 VPN Log packet from
Apr 25 12:13:08 2012 VPN Log packet from
Apr 25 12:13:08 2012 VPN Log packet from
Apr 25 12:13:08 2012 VPN Log packet from
Apr 25 12:13:08 2012 VPN Log packet from
Apr 25 12:13:08 2012 VPN Log packet from
Apr 25 12:13:08 2012 VPN Log packet from
Apr 25 12:13:08 2012 VPN Log packet from
Apr 25 12:13:08 2012 VPN Log (g2gips1) #2138: responding to Main Mode
Apr 25 12:13:08 2012 VPN Log (g2gips1) #2138: OAKLEY_AES_CBC is not enabled for this connection. Attribute OAKLEY_ENCRYPTION_ALGORITHM
Apr 25 12:13:08 2012 VPN Log (g2gips1) #2138: OAKLEY_AES_CBC is not enabled for this connection. Attribute OAKLEY_ENCRYPTION_ALGORITHM
Apr 25 12:13:08 2012 VPN Log (g2gips1) #2138: OAKLEY_IDEA_CBC is not enabled for this connection. Attribute OAKLEY_HASH_ALGORITHM
Apr 25 12:13:08 2012 VPN Log (g2gips1) #2138: OAKLEY_IDEA_CBC is not enabled for this connection. Attribute OAKLEY_HASH_ALGORITHM
Apr 25 12:13:08 2012 VPN Log (g2gips1) #2138: OAKLEY_DES_CBC is not enabled for this connection. Attribute OAKLEY_ENCRYPTION_ALGORITHM
Apr 25 12:13:08 2012 VPN Log (g2gips1) #2138: OAKLEY_DES_CBC is not enabled for this connection. Attribute OAKLEY_ENCRYPTION_ALGORITHM
Apr 25 12:13:08 2012 VPN Log (g2gips1) #2138: [Tunnel Negotiation Info] >>> Responder Send Main Mode 2nd packet
Apr 25 12:13:08 2012 VPN Log (g2gips1) #2138: [Tunnel Negotiation Info] >>> Responder Send Main Mode 2nd packet
Apr 25 12:13:08 2012 VPN Log (g2gips1) #2138: ignoring Vendor ID payload [Cisco-Unity]
Apr 25 12:13:08 2012 VPN Log (g2gips1) #2138: ignoring Vendor ID payload [Cisco-Unity]
Apr 25 12:13:08 2012 VPN Log (g2gips1) #2138: ignoring Vendor ID payload [XAUTH]
Apr 25 12:13:08 2012 VPN Log (g2gips1) #2138: ignoring Vendor ID payload [XAUTH]
Apr 25 12:13:08 2012 VPN Log (g2gips1) #2138: ignoring Vendor ID payload [25f19f524de238c5e36def6eba419b65]
Apr 25 12:13:08 2012 VPN Log (g2gips1) #2138: ignoring Vendor ID payload [25f19f524de238c5e36def6eba419b65]
Apr 25 12:13:08 2012 VPN Log (g2gips1) #2138: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Apr 25 12:13:08 2012 VPN Log (g2gips1) #2138: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Apr 25 12:13:08 2012 VPN Log (g2gips1) #2138: [Tunnel Negotiation Info] <<< Responder Received Main Mode 3rd packet
Apr 25 12:13:08 2012 VPN Log (g2gips1) #2138: [Tunnel Negotiation Info] <<< Responder Received Main Mode 3rd packet
Apr 25 12:13:08 2012 VPN Log (g2gips1) #2138: [Tunnel Negotiation Info] >>> Responder send Main Mode 4th packet
Apr 25 12:13:08 2012 VPN Log (g2gips1) #2138: [Tunnel Negotiation Info] >>> Responder send Main Mode 4th packet
Apr 25 12:13:08 2012 VPN Log (g2gips1) #2138: received Vendor ID payload [Dead Peer Detection]
Apr 25 12:13:09 2012 VPN Log (g2gips1) #2138: received Vendor ID payload [Dead Peer Detection]
Apr 25 12:13:09 2012 VPN Log (g2gips1) #2138: [Tunnel Negotiation Info] <<< Responder Received Main Mode 5th packet
Apr 25 12:13:09 2012 VPN Log (g2gips1) #2138: [Tunnel Negotiation Info] <<< Responder Received Main Mode 5th packet
Apr 25 12:13:09 2012 VPN Log (g2gips1) #2138: Peer ID is ID_IPV4_ADDR: '
Apr 25 12:13:09 2012 VPN Log (g2gips1) #2138: [Tunnel Negotiation Info] >>> Responder Send Main Mode 6th packet
Apr 25 12:13:09 2012 VPN Log (g2gips1) #2138: [Tunnel Negotiation Info] >>> Responder Send Main Mode 6th packet
Apr 25 12:13:09 2012 VPN Log (g2gips1) #2138: [Tunnel Negotiation Info] Main Mode Phase 1 SA Established
Apr 25 12:13:09 2012 VPN Log (g2gips1) #2138: [Tunnel Negotiation Info] Main Mode Phase 1 SA Established
Apr 25 12:13:09 2012 VPN Log (g2gips1) #2138: sent MR3, ISAKMP SA established
Apr 25 12:13:09 2012 VPN Log (g2gips1) #2138: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Apr 25 12:13:09 2012 VPN Log (g2gips1) #2138: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Apr 25 12:13:09 2012 VPN Log (g2gips1) #2138: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 1st packet
Apr 25 12:13:09 2012 VPN Log (g2gips1) #2138: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 1st packet
Apr 25 12:13:09 2012 VPN Log (g2gips1) #2139: esp_ealg_id=3-3,esp_ealg_keylen=0, key_len=192,esp_aalg_id=1-1.
Apr 25 12:13:09 2012 VPN Log (g2gips1) #2139: esp_ealg_id=3-3,esp_ealg_keylen=0, key_len=192,esp_aalg_id=1-1.
Apr 25 12:13:09 2012 VPN Log (g2gips1) #2139: responding to Quick Mode
Apr 25 12:13:09 2012 VPN Log (g2gips1) #2139: [Tunnel Negotiation Info] Inbound SPI value = 3a8e85e2
Apr 25 12:13:09 2012 VPN Log (g2gips1) #2139: [Tunnel Negotiation Info] Inbound SPI value = 3a8e85e2
Apr 25 12:13:09 2012 VPN Log (g2gips1) #2139: [Tunnel Negotiation Info] Outbound SPI value = e4427e59
Apr 25 12:13:09 2012 VPN Log (g2gips1) #2139: [Tunnel Negotiation Info] Outbound SPI value = e4427e59
Apr 25 12:13:09 2012 VPN Log (g2gips1) #2139: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet
Apr 25 12:13:09 2012 VPN Log (g2gips1) #2139: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet
Apr 25 12:13:09 2012 VPN Log (g2gips1) #2139: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 3rd packet
Apr 25 12:13:09 2012 VPN Log (g2gips1) #2139: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 3rd packet
Apr 25 12:13:09 2012 VPN Log (g2gips1) #2139: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
Apr 25 12:13:09 2012 VPN Log (g2gips1) #2139: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
Apr 25 12:13:09 2012 VPN Log (g2gips1) #2139: IPsec SA established {ESP=>0xe4427e59 <0x3a8e85e2
04-25-2012 12:48 PM
What is the current status of your tunnel? is it up or down?
It looks like the RV is getting a message to delete the SA
Apr 25 12:13:04 2012 VPN Log (g2gips1) #2135: received Delete SA(0xb68751cd) payload: deleting IPSEC State #2136
Our router dosn't suport the bandwidth lifetime setting as seen in your ASA config here
crypto ipsec security-association lifetime kilobytes 4608000
= 450MB
Can you disable this setting, or do you know if you hit this bandwidth limit? The ASA would delete its IPsec SA and try to rekey but the RV would wait until the 28800 expires which is 8 hours
Cisco Small Business Support Center
Randy Manthey
CCNA, CCNA - Security
04-25-2012 01:23 PM
Hello Randy,
current status of tunnel is up. during the day people get very upset if its down for more then 5 minutes.
I will remove the lifetime associated with transfer rates tonight and see if that helps any.
04-26-2012 03:12 AM
Hello Randy,
I am getting the same kind of result after removing the lifetime for bytes.
19:18 was when I removed the lifetime
tunnel colapse happened about 02:50
(From ASA)
4 IKE Peer:
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
show crypto ipsec sa
again no information associated with the tunnel
(From RV)
Apr 25 19:18:10 2012 VPN Log (g2gips0) #2158: [Tunnel Negotiation Info] >>> Responder send Main Mode 4th packet
Apr 25 19:18:10 2012 VPN Log (g2gips0) #2158: [Tunnel Negotiation Info] >>> Responder send Main Mode 4th packet
Apr 25 19:19:20 2012 VPN Log (g2gips0) #2158: max number of retransmissions (2) reached STATE_MAIN_R2
Apr 25 19:19:20 2012 VPN Log (g2gips0) #2158: max number of retransmissions (2) reached STATE_MAIN_R2
Apr 26 02:52:47 2012 System Log HTTP Basic authentication success for user: admin
Apr 26 03:03:59 2012 VPN Log (g2gips1): terminating SAs using this connection
Apr 26 03:03:59 2012 VPN Log (g2gips1) #2155: deleting state (STATE_QUICK_I2)
Apr 26 03:03:59 2012 VPN Log (g2gips1) #2154: deleting state (STATE_MAIN_I4)
Apr 26 03:03:59 2012 VPN Log (g2gips1) #2159: initiating Main Mode
Apr 26 03:03:59 2012 VPN Log (g2gips1) #2159: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Apr 26 03:03:59 2012 VPN Log (g2gips1) #2159: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Apr 26 03:03:59 2012 VPN Log (g2gips1) #2159: ignoring Vendor ID payload [4048b7d56ebce88525e7de7f00d6c2d3c0000000]
Apr 26 03:03:59 2012 VPN Log (g2gips1) #2159: ignoring Vendor ID payload [4048b7d56ebce88525e7de7f00d6c2d3c0000000]
Apr 26 03:03:59 2012 VPN Log (g2gips1) #2159: [Tunnel Negotiation Info] <<< Initiator Received Main Mode 2nd packet
Apr 26 03:03:59 2012 VPN Log (g2gips1) #2159: [Tunnel Negotiation Info] <<< Initiator Received Main Mode 2nd packet
Apr 26 03:03:59 2012 VPN Log (g2gips1) #2159: [Tunnel Negotiation Info] >>> Initiator send Main Mode 3rd packet
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2159: [Tunnel Negotiation Info] >>> Initiator send Main Mode 3rd packet
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2159: ignoring Vendor ID payload [Cisco-Unity]
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2159: ignoring Vendor ID payload [Cisco-Unity]
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2159: ignoring Vendor ID payload [XAUTH]
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2159: ignoring Vendor ID payload [XAUTH]
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2159: ignoring Vendor ID payload [73e2f21aa703240dbf2899e6342d5019]
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2159: ignoring Vendor ID payload [73e2f21aa703240dbf2899e6342d5019]
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2159: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2159: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2159: [Tunnel Negotiation Info] <<< Initiator Received Main Mode 4th packet
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2159: [Tunnel Negotiation Info] <<< Initiator Received Main Mode 4th packet
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2159: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 5th packet
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2159: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 5th packet
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2159: received Vendor ID payload [Dead Peer Detection]
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2159: received Vendor ID payload [Dead Peer Detection]
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2159: [Tunnel Negotiation Info] >>> Initiator Receive Main Mode 6th packet
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2159: [Tunnel Negotiation Info] >>> Initiator Receive Main Mode 6th packet
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2159: Peer ID is ID_IPV4_ADDR: '
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2159: [Tunnel Negotiation Info] Main Mode Phase 1 SA Established
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2159: [Tunnel Negotiation Info] Main Mode Phase 1 SA Established
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2159: ISAKMP SA established
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2160: initiating Quick Mode PSK+ENCRYPT+TUNNEL {using isakmp#2159}
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2160: [Tunnel Negotiation Info] >>> Initiator send Quick Mode 1st packet
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2160: [Tunnel Negotiation Info] >>> Initiator send Quick Mode 1st packet
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2160: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2160: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2160: [Tunnel Negotiation Info] <<< Initiator Received Quick Mode 2nd packet
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2160: [Tunnel Negotiation Info] <<< Initiator Received Quick Mode 2nd packet
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2160: esp_ealg_id=3-3,esp_ealg_keylen=0, key_len=192,esp_aalg_id=1-1.
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2160: esp_ealg_id=3-3,esp_ealg_keylen=0, key_len=192,esp_aalg_id=1-1.
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2160: [Tunnel Negotiation Info] Inbound SPI value = 49fb7769
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2160: [Tunnel Negotiation Info] Inbound SPI value = 49fb7769
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2160: [Tunnel Negotiation Info] Outbound SPI value = de0c34e
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2160: [Tunnel Negotiation Info] Outbound SPI value = de0c34e
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2160: [Tunnel Negotiation Info] >>> Initiator Send Quick Mode 3rd packet
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2160: [Tunnel Negotiation Info] >>> Initiator Send Quick Mode 3rd packet
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2160: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2160: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
Apr 26 03:04:00 2012 VPN Log (g2gips1) #2160: sent QI2, IPsec SA established {ESP=>0x0de0c34e <0x49fb7769
Apr 26 03:04:05 2012 VPN Log packet from
Apr 26 03:04:05 2012 VPN Log packet from
Apr 26 03:04:05 2012 VPN Log packet from
Apr 26 03:04:05 2012 VPN Log packet from
Apr 26 03:04:05 2012 VPN Log packet from
Apr 26 03:04:05 2012 VPN Log packet from
Apr 26 03:04:05 2012 VPN Log packet from
Apr 26 03:04:05 2012 VPN Log packet from
Apr 26 03:04:05 2012 VPN Log packet from
Apr 26 03:04:05 2012 VPN Log packet from
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: responding to Main Mode
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: OAKLEY_AES_CBC is not enabled for this connection. Attribute OAKLEY_ENCRYPTION_ALGORITHM
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: OAKLEY_AES_CBC is not enabled for this connection. Attribute OAKLEY_ENCRYPTION_ALGORITHM
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: OAKLEY_IDEA_CBC is not enabled for this connection. Attribute OAKLEY_HASH_ALGORITHM
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: OAKLEY_IDEA_CBC is not enabled for this connection. Attribute OAKLEY_HASH_ALGORITHM
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: OAKLEY_DES_CBC is not enabled for this connection. Attribute OAKLEY_ENCRYPTION_ALGORITHM
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: OAKLEY_DES_CBC is not enabled for this connection. Attribute OAKLEY_ENCRYPTION_ALGORITHM
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: [Tunnel Negotiation Info] >>> Responder Send Main Mode 2nd packet
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: [Tunnel Negotiation Info] >>> Responder Send Main Mode 2nd packet
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: ignoring Vendor ID payload [Cisco-Unity]
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: ignoring Vendor ID payload [Cisco-Unity]
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: ignoring Vendor ID payload [XAUTH]
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: ignoring Vendor ID payload [XAUTH]
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: ignoring Vendor ID payload [e1a78b672bb02bdb0be76dea8648fbd9]
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: ignoring Vendor ID payload [e1a78b672bb02bdb0be76dea8648fbd9]
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: [Tunnel Negotiation Info] <<< Responder Received Main Mode 3rd packet
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: [Tunnel Negotiation Info] <<< Responder Received Main Mode 3rd packet
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: [Tunnel Negotiation Info] >>> Responder send Main Mode 4th packet
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: [Tunnel Negotiation Info] >>> Responder send Main Mode 4th packet
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: received Vendor ID payload [Dead Peer Detection]
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: received Vendor ID payload [Dead Peer Detection]
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: [Tunnel Negotiation Info] <<< Responder Received Main Mode 5th packet
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: [Tunnel Negotiation Info] <<< Responder Received Main Mode 5th packet
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: Peer ID is ID_IPV4_ADDR: '
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: [Tunnel Negotiation Info] >>> Responder Send Main Mode 6th packet
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: [Tunnel Negotiation Info] >>> Responder Send Main Mode 6th packet
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: [Tunnel Negotiation Info] Main Mode Phase 1 SA Established
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: [Tunnel Negotiation Info] Main Mode Phase 1 SA Established
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: sent MR3, ISAKMP SA established
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 1st packet
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2161: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 1st packet
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2162: esp_ealg_id=3-3,esp_ealg_keylen=0, key_len=192,esp_aalg_id=1-1.
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2162: esp_ealg_id=3-3,esp_ealg_keylen=0, key_len=192,esp_aalg_id=1-1.
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2162: responding to Quick Mode
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2162: [Tunnel Negotiation Info] Inbound SPI value = 529a5ff9
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2162: [Tunnel Negotiation Info] Inbound SPI value = 529a5ff9
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2162: [Tunnel Negotiation Info] Outbound SPI value = eb9e4a76
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2162: [Tunnel Negotiation Info] Outbound SPI value = eb9e4a76
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2162: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2162: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2162: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 3rd packet
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2162: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 3rd packet
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2162: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2162: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
Apr 26 03:04:05 2012 VPN Log (g2gips1) #2162: IPsec SA established {ESP=>0xeb9e4a76 <0x529a5ff9
05-08-2012 01:10 PM
The final solution to this was to take the router to factory defaults again and rebuild the VPN tunnels I am not sure what could be kept as a flag on the RV082 but a factory reset was really the solution.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: