cisco asa 5510 and zyxel ZyWALL 35 ipsec s2s disconnect problem

Peter Handke · ‎08-23-2012

Hi

I have asa and zyxel connected via ipsec s2s. The problem is with disconnecting. Traffic origin from Zyxel site to Asa site. After tunnel hang up we have to turn on tunnel by hand on Zyxel site. It happens few times per day. Quality of Internet connection is ok. I changed few settings but without success. On cisco site i have ca 30 another tunnel s2s to different countries and all are ok. On Zyxel site i have 1 extra vpn. It works ok. Below my config and logs. I'll be very grateful for help

regards

Peter

asa 5510 8.2

zyxel :

Model ZyWALL 35

Bootbase Version V1.07 | 03/23/2004

Firmware Version V4.04(WZ.8) | 02/11/2010

cisco conf :

IKE Peer: 6.6.6.194

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

Encrypt : 3des Hash : SHA

Auth : preshared Lifetime: 86400

crypto ipsec transform-set tunel esp-3des esp-sha-hmac

crypto map outside_map 67 match address acl-67-xxx

crypto map outside_map 67 set pfs

crypto map outside_map 67 set peer 6.6.6.194

crypto map outside_map 67 set transform-set tunel

crypto map outside_map 67 set security-association lifetime seconds 86400

p1:

psk

Negotiation Mode main

Encryption Algorithm 3des

Authentication Algorithm sha1

SA Life Time (Seconds) 86400

Key Group dh2

Enable Multiple Proposals

p2:

active

nailed-up

Encapsulation Mode tunnel

Active Protocol esp

Encryption Algorithm 3des

Authentication Algorithm sha1

SA Life Time (Seconds) 86400

Perfect Forward Secrecy (PFS) dh2

cisco errors when tunnel hang up:

Session disconnected. Session Type: IKE, Duration: 0h:00m:06s, Bytes

xmt: 0, Bytes rcv: 0, Reason: User Requested

Session disconnected. Session Type: IKE, Duration: 0h:00m:05s, Bytes

xmt: 0, Bytes rcv: 0, Reason: User Requested

zyxel errors:

2012-08-06 13:39:39 Rule [2n-vpn-172-2-1-0] delete successfully

IKE

2012-08-06 13:39:39 The SPI and sequence number are : 0xA8A434B6 /

372 IKE

2012-08-06 13:39:39 Rule [2n-vpn-172-2-1-0] idle time out, disconnect 7.7.7.7.194 6.6.6.182 IPSEC

2012-08-06 13:39:39 The SPI and sequence number are : 0xA8A434B6 /

372 7.7.7.7.194 6.6.6.182 IPSEC

2012-08-06 13:39:32 Firewall session time out, sent TCP RST

192.168.2.43:54151 172.27.104.207:139 TCP RST

2012-08-06 13:39:28 Send:[HASH][DEL] 7.7.7.7.194 6.6.6.182 IKE

2012-08-06 13:39:28 The cookie pair is : 0xF51036F015A5CDC0 / 0xF650FB62C6E4F1CE 7.7.7.7.194 6.6.6.182 IKE

2012-08-06 13:39:28 Send:[HASH][DEL] 7.7.7.7.194 6.6.6.182 IKE

2012-08-06 13:39:28 The cookie pair is : 0xF51036F015A5CDC0 / 0xF650FB62C6E4F1CE 7.7.7.7.194 6.6.6.182 IKE

2012-08-06 13:39:28 Recv:[HASH][NOTFY:ERR_SPI ] 6.6.6.182

7.7.7.7.194 IKE

2012-08-06 13:39:28 The cookie pair is : 0xF51036F015A5CDC0 / 0xF650FB62C6E4F1CE 6.6.6.182 7.7.7.7.194 IKE

2012-08-06 13:39:28 Firewall session time out, sent TCP RST

192.168.2.43:54150 172.27.104.207:445 TCP RST

2012-08-06 13:39:22 Rule [2n-vpn-172-2-1-0] Tunnel built successfully 7.7.7.7.194 6.6.6.182 IKE

2012-08-06 13:39:22 The cookie pair is : 0xF51036F015A5CDC0 / 0xF650FB62C6E4F1CE 7.7.7.7.194 6.6.6.182 IKE

2012-08-06 13:39:22 Send:[HASH] 7.7.7.7.194 6.6.6.182 IKE

2012-08-06 13:39:22 The cookie pair is : 0xF51036F015A5CDC0 / 0xF650FB62C6E4F1CE 7.7.7.7.194 6.6.6.182 IKE

2012-08-06 13:39:22 Recv:[HASH][SA][NONCE][KE][ID][ID] 6.6.6.182

7.7.7.7.194 IKE

2012-08-06 13:39:22 The cookie pair is : 0xF51036F015A5CDC0 / 0xF650FB62C6E4F1CE 6.6.6.182 7.7.7.7.194 IKE

2012-08-06 13:39:22 Send:[HASH][SA][NONCE][KE][ID][ID] 7.7.7.7.194

6.6.6.182 IKE

2012-08-06 13:39:22 The cookie pair is : 0xF51036F015A5CDC0 / 0xF650FB62C6E4F1CE 7.7.7.7.194 6.6.6.182 IKE

2012-08-06 13:39:22 Phase 1 IKE SA process done 7.7.7.7.194

6.6.6.182 IKE

2012-08-06 13:39:22 The cookie pair is : 0xF51036F015A5CDC0 / 0xF650FB62C6E4F1CE 7.7.7.7.194 6.6.6.182 IKE

2012-08-06 13:39:22 Recv:[ID][HASH] 6.6.6.182 7.7.7.7.194 IKE

2012-08-06 13:39:22 The cookie pair is : 0xF51036F015A5CDC0 / 0xF650FB62C6E4F1CE 6.6.6.182 7.7.7.7.194 IKE

2012-08-06 13:39:22 Send:[ID][HASH] 7.7.7.7.194 6.6.6.182 IKE

2012-08-06 13:39:22 The cookie pair is : 0xF51036F015A5CDC0 / 0xF650FB62C6E4F1CE 7.7.7.7.194 6.6.6.182 IKE

2012-08-06 13:39:22 Recv:[KE][NONCE][VID][VID][VID][VID 6.6.6.182

7.7.7.7.194 IKE

2012-08-06 13:39:22 The cookie pair is : 0xF51036F015A5CDC0 / 0xF650FB62C6E4F1CE 6.6.6.182 7.7.7.7.194 IKE

2012-08-06 13:39:22 SMTP fail (Trying to send another mail now, please wait.)

2012-08-06 13:39:22 IKE Negotiation is in process 7.7.7.7.194

6.6.6.182 IKE

2012-08-06 13:39:22 The cookie pair is : 0xF51036F015A5CDC0 / 0xF650FB62C6E4F1CE 7.7.7.7.194 6.6.6.182 IKE

2012-08-06 13:39:22 Send:[KE][NONCE] 7.7.7.7.194 6.6.6.182 IKE

2012-08-06 13:39:22 The cookie pair is : 0xF51036F015A5CDC0 / 0xF650FB62C6E4F1CE 7.7.7.7.194 6.6.6.182 IKE

2012-08-06 13:39:22 Recv:[SA][VID] 6.6.6.182 7.7.7.7.194 IKE

2012-08-06 13:39:22 The cookie pair is : 0xF51036F015A5CDC0 / 0xF650FB62C6E4F1CE 6.6.6.182 7.7.7.7.194 IKE

2012-08-06 13:39:21 Send:[SA][VID][VID] 7.7.7.7.194 6.6.6.182 IKE

2012-08-06 13:39:21 The cookie pair is : 0xF51036F015A5CDC0 /

0x0000000000000000 7.7.7.7.194 6.6.6.182 IKE

2012-08-06 13:39:21 Send Main Mode request to [6.6.6.182]

7.7.7.7.194 6.6.6.182 IKE

2012-08-06 13:39:21 Rule [VPN-Polen-Krakau] Sending IKE request

7.7.7.7.194 6.6.6.182 IKE

2012-08-06 13:39:21 The cookie pair is : 0xF51036F015A5CDC0 /

0x0000000000000000 7.7.7.7.194 6.6.6.182 IKE