Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8297
Views
0
Helpful
5
Replies

RV320 VPN Connection - ignoring Delete SA payload: PROTO_IPSEC_ESP SA

krzysztof.blazowski1
Level 1
Level 1

‎04-03-2015 01:33 AM

I have RV320 (Serial Number: NKS17161863 Firmware Version: v1.1.1.19 (2014-12-01, 12:38:04)) 
and Two RV130:
RV130 #1 
System Name: router8E6AAF
Firmware Version: 1.0.1.3
Serial Number: CCQ18391LCX
 
RV130 # 2
System Name: router8E6A58
Firmware Version: 1.0.1.3
Serial Number: CCQ18391LC4
 
The VPN Server is RV320 and the setting is
 
 
The Settings on RV130’s is:
 
And Log is sending me errors 
 
2015-04-03, 11:10:19 VPN Log [g2gips2] #361: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0xd2c697fd < 0xc996e19a}
 
2015-04-03, 11:12:34 VPN Log [g2gips0] #362: [Tunnel Established] ISAKMP SA established
 
2015-04-03, 11:26:04 ALLOW UDP 91.196.8.139:500 -> 95.51.168.122:500 on eth2
 
2015-04-03, 11:26:04 VPN Log [g2gips0] #363: [Tunnel Established] IPsec SA established {ESP=>0x33533382 < 0xc3fbe46e}
 
2015-04-03, 11:26:04 VPN Log [g2gips0] #362: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x96a8668e) not found (maybe expired)
 
I thing the last Record is the problem. Can you help me?
 
 
 
6 people had this problem
Labels:
0 Helpful
5 Replies 5

krzysztof.blazowski1
Level 1
Level 1

‎04-03-2015 02:15 AM

and The RV320 is sending me still 

 
Apr  3 11:46:08 2015 globalomax VPN Log: [g2gips2] #364: [Tunnel Established] ISAKMP SA established

Apr  3 11:46:34 2015 globalomax VPN Log: [g2gips2] #364: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xbe275da3) not found (maybe expired)

Apr  3 12:09:02 2015 globalomax VPN Log: [g2gips2] #365: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0x6ab287ba < 0xca70c778}

Apr  3 12:09:02 2015 globalomax VPN Log: [g2gips2] #364: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xd2c697fd) not found (maybe expired)

Apr  3 12:12:34 2015 globalomax ALLOW UDP 91.196.8.139:500 -> 95.51.168.122:500 on eth2
0 Helpful

fgams3013526789
Level 1
Level 1
In response to krzysztof.blazowski1

‎04-14-2015 01:45 PM

I have the same problem, but with a RV325 and three RV320.

Everything was working fine and then today, started getting this error. Did you find a solution for this?

0 Helpful

jacobfranksdetail
Level 1
Level 1
In response to fgams3013526789

‎04-14-2015 02:06 PM

I hate to say "me too", but I'm also having the same problem. Firmware v1.1.1.19. Two RV320s and one RV325. Using NAT (NAT Traversal turned on).

When this error occurs dead peer detection doesn't seem to catch it, both sides show the tunnel as up (but it's not working) and the only fix is to re-connect the tunnel manually.

Sometimes just pinging the "dead" tunnel causes the units to reboot. The system log is useless unless you count helpful messages like "Kernel : protocol 0800 is buggy, dev eth0" repeated over and over.

It's very frustrating, I'm about ready to give up these devices.

0 Helpful

fgams3013526789
Level 1
Level 1
In response to jacobfranksdetail

‎04-16-2015 10:13 PM

I found an answer.

 

The message is informational in nature and is not the cause of any problems. the routers run Linux and use the open source codebase....

 

"When an IPsec SA is about to expire *swan sends a delete SA notification
to the peer. Since the same IPsec SA is also about to expire on the
peer side, often the peer is a little faster and has already deleted
the IPsec SA itself. Thus when the delete SA message arrives, the IPsec SA
doesn't exist anymore and the warning below is issued in the log.

If you want to study the SA renewal and deletion mechanism in detail
you can do this by activating the following debug option

   ipsec whack --debug-lifecycle"

 

https://lists.openswan.org/pipermail/users/2004-September/002128.html

 

In my case, the ISP is Comcast and they were filtering UDP packets, causing the issue. A call to their business tech support and an explanation of our need to use an IPSEC VPN  tunnel which uses UDP resolved the problem.

The Cisco VPN routers (RV325 & RV320) work great and I haven't had any problems since. There is excellent tech support from Cisco, you just have to follow their procedures and register the serial numbers of your devices. They helped me even without a service contract, but I purchased one anyway. It's only $56 for a 3 year support agreement at CDW.

Hope that helps.

0 Helpful

fgams3013526789
Level 1
Level 1
In response to fgams3013526789

‎04-16-2015 10:15 PM

p.s. a 3 year support contract is only $56 from CDW...

0 Helpful
Customers Also Viewed These Support Documents