cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14124
Views
0
Helpful
2
Replies

VPN Tunnel terminates shortly after phase 1 rekey event

tomvanleeuwen
Level 1
Level 1

Hi,

I have a site-to-site vpn with a Customer. I have an ASA 5520 (8.4(1)) in active/standby and they have a Checkpoint R65.

The configuration on my side is:

access-list encdom_acl extended permit ip host 10.0.0.1 host 1.1.1.1

access-list encdom_acl extended permit ip host 10.10.0.1 host 1.1.1.1

access-list encdom_acl extended permit ip host 10.20.0.1 host 1.1.1.1

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 102 match address encdom_acl

crypto map outside_map 102 set pfs

crypto map outside_map 102 set peer 1.1.1.1

crypto map outside_map 102 set ikev1 transform-set ESP-3DES-SHA

crypto map outside_map 102 set security-association lifetime seconds 3600

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

ikev1 pre-shared-key cisco123

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

We've checked whether the phase 1 and phase 2 lifetimes are the same and they are. Traffic flows correctly until shortly after a rekeying event. The debug log says the following:

Aug  1 20:46:24 vpnbox %ASA-7-713906: IP = 1.1.1.1, Starting phase 1 rekey

Aug  1 20:46:24 vpnbox %ASA-5-713041: IP = 1.1.1.1, IKE Initiator: Rekeying Phase 1, Intf outside, IKE Peer 1.1.1.1  local Proxy Address 0.0.0.0, remote Proxy Address 0.0.0.0,  Crypto map (N/A)

Aug  1 20:46:24 vpnbox %ASA-7-720041: (VPN-Primary) Sending Phase 1 Rekey message (type L2L, remote addr 1.1.1.1, my cookie A8DB5D02, his cookie 0C6812B0) to standby unit

Aug  1 20:46:24 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing ISAKMP SA payload

Aug  1 20:46:24 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing NAT-Traversal VID ver 02 payload

Aug  1 20:46:24 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing NAT-Traversal VID ver 03 payload

Aug  1 20:46:24 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing NAT-Traversal VID ver RFC payload

Aug  1 20:46:24 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing Fragmentation VID + extended capabilities payload

Aug  1 20:46:24 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168

Aug  1 20:46:24 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128

Aug  1 20:46:24 vpnbox %ASA-7-715047: IP = 1.1.1.1, processing SA payload

Aug  1 20:46:24 vpnbox %ASA-7-713906: IP = 1.1.1.1, Oakley proposal is acceptable

Aug  1 20:46:24 vpnbox %ASA-7-715047: IP = 1.1.1.1, processing VID payload

Aug  1 20:46:24 vpnbox %ASA-7-715049: IP = 1.1.1.1, Received NAT-Traversal RFC VID

Aug  1 20:46:24 vpnbox %ASA-7-715047: IP = 1.1.1.1, processing VID payload

Aug  1 20:46:24 vpnbox %ASA-7-715049: IP = 1.1.1.1, Received Fragmentation VID

Aug  1 20:46:24 vpnbox %ASA-7-715064: IP = 1.1.1.1, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False

Aug  1 20:46:24 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing ke payload

Aug  1 20:46:24 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing nonce payload

Aug  1 20:46:24 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing Cisco Unity VID payload

Aug  1 20:46:24 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing xauth V6 VID payload

Aug  1 20:46:24 vpnbox %ASA-7-715048: IP = 1.1.1.1, Send IOS VID

Aug  1 20:46:24 vpnbox %ASA-7-715038: IP = 1.1.1.1, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)

Aug  1 20:46:24 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing VID payload

Aug  1 20:46:24 vpnbox %ASA-7-715048: IP = 1.1.1.1, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

Aug  1 20:46:24 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing NAT-Discovery payload

Aug  1 20:46:24 vpnbox %ASA-7-713906: IP = 1.1.1.1, computing NAT Discovery hash

Aug  1 20:46:24 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing NAT-Discovery payload

Aug  1 20:46:24 vpnbox %ASA-7-713906: IP = 1.1.1.1, computing NAT Discovery hash

Aug  1 20:46:24 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304

Aug  1 20:46:24 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 228

Aug  1 20:46:24 vpnbox %ASA-7-715047: IP = 1.1.1.1, processing ke payload

Aug  1 20:46:24 vpnbox %ASA-7-715047: IP = 1.1.1.1, processing ISA_KE payload

Aug  1 20:46:24 vpnbox %ASA-7-715047: IP = 1.1.1.1, processing nonce payload

Aug  1 20:46:24 vpnbox %ASA-7-715047: IP = 1.1.1.1, processing NAT-Discovery payload

Aug  1 20:46:24 vpnbox %ASA-7-713906: IP = 1.1.1.1, computing NAT Discovery hash

Aug  1 20:46:24 vpnbox %ASA-7-715047: IP = 1.1.1.1, processing NAT-Discovery payload

Aug  1 20:46:24 vpnbox %ASA-7-713906: IP = 1.1.1.1, computing NAT Discovery hash

Aug  1 20:46:24 vpnbox %ASA-7-713906: IP = 1.1.1.1, Connection landed on tunnel_group 1.1.1.1

Aug  1 20:46:24 vpnbox %ASA-7-713906: Group = 1.1.1.1, IP = 1.1.1.1, Generating keys for Initiator...

Aug  1 20:46:24 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing ID payload

Aug  1 20:46:24 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing hash payload

Aug  1 20:46:24 vpnbox %ASA-7-715076: Group = 1.1.1.1, IP = 1.1.1.1, Computing hash for ISAKMP

Aug  1 20:46:24 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing dpd vid payload

Aug  1 20:46:24 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84

Aug  1 20:46:24 vpnbox %ASA-6-713172: Group = 1.1.1.1, IP = 1.1.1.1, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device

Aug  1 20:46:24 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64

Aug  1 20:46:24 vpnbox %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing ID payload

Aug  1 20:46:24 vpnbox %ASA-7-714011: Group = 1.1.1.1, IP = 1.1.1.1, ID_IPV4_ADDR ID received#0121.1.1.1

Aug  1 20:46:24 vpnbox %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing hash payload

Aug  1 20:46:24 vpnbox %ASA-7-715076: Group = 1.1.1.1, IP = 1.1.1.1, Computing hash for ISAKMP

Aug  1 20:46:24 vpnbox %ASA-7-713906: IP = 1.1.1.1, Connection landed on tunnel_group 1.1.1.1

Aug  1 20:46:24 vpnbox %ASA-5-713119: Group = 1.1.1.1, IP = 1.1.1.1, PHASE 1 COMPLETED

Aug  1 20:46:24 vpnbox %ASA-7-713121: IP = 1.1.1.1, Keep-alive type for this connection: None

Aug  1 20:46:24 vpnbox %ASA-3-713122: IP = 1.1.1.1, Keep-alives configured on but peer does not support keep-alives (type = None)

Aug  1 20:46:24 vpnbox %ASA-7-715080: Group = 1.1.1.1, IP = 1.1.1.1, Starting P1 rekey timer: 48600 seconds.

Aug  1 20:46:24 vpnbox %ASA-7-720041: (VPN-Primary) Sending Phase 1 Rekey OK message (type L2L, remote addr 1.1.1.1, my cookie B92A6170, his cookie EF8B3D1F) to standby unit

Aug  1 20:46:33 vpnbox %ASA-7-715036: Group = 1.1.1.1, IP = 1.1.1.1, Sending keep-alive of type DPD R-U-THERE (seq number 0x7adaba4f)

Aug  1 20:46:33 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing blank hash payload

Aug  1 20:46:33 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing qm hash payload

Aug  1 20:46:33 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=65bde8ed) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Aug  1 20:46:34 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=8a001f32) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Aug  1 20:46:34 vpnbox %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing hash payload

Aug  1 20:46:34 vpnbox %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing notify payload

Aug  1 20:46:34 vpnbox %ASA-7-715075: Group = 1.1.1.1, IP = 1.1.1.1, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x7adaba4f)

Aug  1 20:46:35 vpnbox %ASA-6-302013: Built inbound TCP connection 21457260 for outside:1.1.1.1/38303 (10.32.0.15/38303) to inside:10.10.0.1/80 (10.10.0.1/80)

Aug  1 20:46:35 vpnbox %ASA-6-302013: Built inbound TCP connection 21457261 for outside:1.1.1.1/40618 (10.32.0.15/40618) to inside:10.10.0.1/443 (10.10.0.1/443)

Aug  1 20:46:36 vpnbox %ASA-6-302014: Teardown TCP connection 21457260 for outside:1.1.1.1/38303 to inside:10.10.0.1/80 duration 0:00:00 bytes 13404 TCP FINs

Aug  1 20:46:36 vpnbox %ASA-6-302014: Teardown TCP connection 21457261 for outside:1.1.1.1/40618 to inside:10.10.0.1/443 duration 0:00:00 bytes 19272 TCP FINs

Aug  1 20:46:43 vpnbox %ASA-6-302013: Built inbound TCP connection 21457273 for outside:1.1.1.1/40621 (10.32.0.15/40621) to inside:10.10.0.1/443 (10.10.0.1/443)

Aug  1 20:46:44 vpnbox %ASA-6-302014: Teardown TCP connection 21457273 for outside:1.1.1.1/40621 to inside:10.10.0.1/443 duration 0:00:00 bytes 6404 TCP FINs

Aug  1 20:46:46 vpnbox %ASA-6-302013: Built inbound TCP connection 21457290 for outside:1.1.1.1/38310 (10.32.0.15/38310) to inside:10.10.0.1/80 (10.10.0.1/80)

Aug  1 20:46:46 vpnbox %ASA-6-302014: Teardown TCP connection 21457290 for outside:1.1.1.1/38310 to inside:10.10.0.1/80 duration 0:00:00 bytes 666 TCP FINs

Aug  1 20:47:03 vpnbox %ASA-7-715036: Group = 1.1.1.1, IP = 1.1.1.1, Sending keep-alive of type DPD R-U-THERE (seq number 0x7adaba50)

Aug  1 20:47:03 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing blank hash payload

Aug  1 20:47:03 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing qm hash payload

Aug  1 20:47:03 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=2ca4f44d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Aug  1 20:47:03 vpnbox %ASA-7-720041: (VPN-Primary) Sending Phase 1 SA Expired message (type L2L, remote addr 1.1.1.1, my cookie A8DB5D02, his cookie 0C6812B0) to standby unit

Aug  1 20:47:03 vpnbox %ASA-7-713906: Group = 1.1.1.1, IP = 1.1.1.1, IKE SA MM:a8db5d02 terminating:  flags 0x01000006, refcnt 0, tuncnt 0

Aug  1 20:47:03 vpnbox %ASA-7-713906: Group = 1.1.1.1, IP = 1.1.1.1, sending delete/delete with reason message

Aug  1 20:47:03 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing blank hash payload

Aug  1 20:47:03 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing IKE delete payload

Aug  1 20:47:03 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing qm hash payload

Aug  1 20:47:03 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=c7f1471b) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

Aug  1 20:47:03 vpnbox %ASA-7-720041: (VPN-Primary) Sending Phase 1 Activate SA message (type L2L, remote addr 1.1.1.1, my cookie B92A6170, his cookie EF8B3D1F) to standby unit

Aug  1 20:47:03 vpnbox %ASA-5-713904: IP = 1.1.1.1, Received encrypted packet with no matching SA, dropping

Aug  1 20:47:03 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=c7d335d0) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68

Aug  1 20:47:03 vpnbox %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing hash payload

Aug  1 20:47:03 vpnbox %ASA-7-713906: Group = 1.1.1.1, IP = 1.1.1.1, processing delete

Aug  1 20:47:03 vpnbox %ASA-5-713050: Group = 1.1.1.1, IP = 1.1.1.1, Connection terminated for peer 1.1.1.1.  Reason: Peer Terminate  Remote Proxy 10.10.0.1, Local Proxy 1.1.1.1

Aug  1 20:47:03 vpnbox %ASA-7-713906: Group = 1.1.1.1, IP = 1.1.1.1, Active unit receives a delete event for remote peer 1.1.1.1.#012

Aug  1 20:47:03 vpnbox %ASA-7-715009: Group = 1.1.1.1, IP = 1.1.1.1, IKE Deleting SA: Remote Proxy 1.1.1.1, Local Proxy 10.10.0.1

Aug  1 20:47:03 vpnbox %ASA-7-713906: Group = 1.1.1.1, IP = 1.1.1.1, IKE SA MM:b92a6170 rcv'd Terminate: state MM_ACTIVE  flags 0x00000062, refcnt 1, tuncnt 0

Aug  1 20:47:03 vpnbox %ASA-7-720041: (VPN-Primary) Sending Phase 1 Terminate message (type L2L, remote addr 1.1.1.1, my cookie B92A6170, his cookie EF8B3D1F) to standby unit

Aug  1 20:47:03 vpnbox %ASA-7-713906: Group = 1.1.1.1, IP = 1.1.1.1, IKE SA MM:b92a6170 terminating:  flags 0x01000022, refcnt 0, tuncnt 0

Aug  1 20:47:03 vpnbox %ASA-7-713906: Group = 1.1.1.1, IP = 1.1.1.1, sending delete/delete with reason message

Aug  1 20:47:03 vpnbox %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x0359CA26) between 2.2.2.2 and 1.1.1.1 (user= 1.1.1.1) has been deleted.

Aug  1 20:47:03 vpnbox %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x1D4EF868) between 1.1.1.1 and 2.2.2.2 (user= 1.1.1.1) has been deleted.

Aug  1 20:47:03 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing blank hash payload

Aug  1 20:47:03 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing IKE delete payload

Aug  1 20:47:03 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing qm hash payload

Aug  1 20:47:03 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=cbecc104) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

Aug  1 20:47:04 vpnbox %ASA-5-713259: Group = 1.1.1.1, IP = 1.1.1.1, Session is being torn down. Reason: User Requested

Aug  1 20:47:04 vpnbox %ASA-4-113019: Group = 1.1.1.1, Username = 1.1.1.1, IP = 1.1.1.1, Session disconnected. Session Type: LAN-to-LAN, Duration: 13h:30m:39s, Bytes xmt: 65322487, Bytes rcv: 6843774, Reason: User Requested

Aug  1 20:47:05 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:47:07 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:47:10 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:47:10 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:47:11 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:47:11 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:47:12 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:47:14 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:47:16 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:47:37 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:47:40 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:47:40 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:47:40 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:47:41 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:47:41 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:47:42 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:47:46 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:47:49 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:48:10 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:48:10 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:48:10 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:48:11 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:48:11 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:48:12 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:48:13 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:48:19 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:48:22 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:48:40 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:48:40 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:48:41 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:48:41 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:48:42 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:48:43 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:48:45 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:48:52 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:48:54 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:49:06 vpnbox %ASA-6-302016: Teardown UDP connection 21446435 for outside:1.1.1.1/500 to identity:2.2.2.2/500 duration 1:00:01 bytes 24976

Aug  1 20:49:06 vpnbox %ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 13:32:38

Aug  1 20:49:07 vpnbox %ASA-7-609001: Built local-host outside:1.1.1.1

Aug  1 20:49:07 vpnbox %ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 0:00:00

Aug  1 20:49:09 vpnbox %ASA-7-609001: Built local-host outside:1.1.1.1

Aug  1 20:49:09 vpnbox %ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 0:00:00

Aug  1 20:49:10 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:49:10 vpnbox %ASA-7-609001: Built local-host outside:1.1.1.1

Aug  1 20:49:10 vpnbox %ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 0:00:00

Aug  1 20:49:10 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:49:11 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 20:49:11 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

< this continues a while until: >

Aug  1 21:04:42 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 21:04:42 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2

Aug  1 21:04:43 vpnbox %ASA-7-609001: Built local-host outside:1.1.1.1

Aug  1 21:04:43 vpnbox %ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 0:00:00

Aug  1 21:04:45 vpnbox %ASA-7-609001: Built local-host outside:1.1.1.1

Aug  1 21:04:45 vpnbox %ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 0:00:00

Aug  1 21:04:46 vpnbox %ASA-7-609001: Built local-host outside:1.1.1.1

Aug  1 21:04:46 vpnbox %ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 0:00:00

Aug  1 21:04:48 vpnbox %ASA-7-609001: Built local-host outside:1.1.1.1

Aug  1 21:04:48 vpnbox %ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 0:00:00

Aug  1 21:04:49 vpnbox %ASA-7-609001: Built local-host outside:1.1.1.1

Aug  1 21:04:49 vpnbox %ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 0:00:00

Aug  1 21:04:51 vpnbox %ASA-7-609001: Built local-host outside:1.1.1.1

Aug  1 21:04:51 vpnbox %ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 0:00:00

Aug  1 21:04:52 vpnbox %ASA-7-609001: Built local-host outside:1.1.1.1

Aug  1 21:04:52 vpnbox %ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 0:00:00

Aug  1 21:04:54 vpnbox %ASA-7-609001: Built local-host outside:1.1.1.1

Aug  1 21:04:54 vpnbox %ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 0:00:00

Aug  1 21:04:56 vpnbox %ASA-7-609001: Built local-host outside:1.1.1.1

Aug  1 21:04:56 vpnbox %ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 0:00:00

Aug  1 21:04:57 vpnbox %ASA-7-609001: Built local-host outside:1.1.1.1

Aug  1 21:04:57 vpnbox %ASA-6-302015: Built inbound UDP connection 21459974 for outside:1.1.1.1/500 (1.1.1.1/500) to identity:2.2.2.2/500 (2.2.2.2/500)

Aug  1 21:04:57 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 100

Aug  1 21:04:57 vpnbox %ASA-7-715047: IP = 1.1.1.1, processing SA payload

Aug  1 21:04:57 vpnbox %ASA-7-713906: IP = 1.1.1.1, Oakley proposal is acceptable

Aug  1 21:04:57 vpnbox %ASA-7-715047: IP = 1.1.1.1, processing VID payload

Aug  1 21:04:57 vpnbox %ASA-7-715049: IP = 1.1.1.1, Received DPD VID

Aug  1 21:04:57 vpnbox %ASA-7-715047: IP = 1.1.1.1, processing IKE SA payload

Aug  1 21:04:57 vpnbox %ASA-7-715028: IP = 1.1.1.1, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 11

Aug  1 21:04:57 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing ISAKMP SA payload

Aug  1 21:04:57 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing Fragmentation VID + extended capabilities payload

Aug  1 21:04:57 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104

Aug  1 21:04:57 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 180

Aug  1 21:04:57 vpnbox %ASA-7-715047: IP = 1.1.1.1, processing ke payload

Aug  1 21:04:57 vpnbox %ASA-7-715047: IP = 1.1.1.1, processing ISA_KE payload

Aug  1 21:04:57 vpnbox %ASA-7-715047: IP = 1.1.1.1, processing nonce payload

Aug  1 21:04:57 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing ke payload

Aug  1 21:04:57 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing nonce payload

Aug  1 21:04:57 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing Cisco Unity VID payload

Aug  1 21:04:57 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing xauth V6 VID payload

Aug  1 21:04:57 vpnbox %ASA-7-715048: IP = 1.1.1.1, Send IOS VID

Aug  1 21:04:57 vpnbox %ASA-7-715038: IP = 1.1.1.1, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)

Aug  1 21:04:57 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing VID payload

Aug  1 21:04:57 vpnbox %ASA-7-715048: IP = 1.1.1.1, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

Aug  1 21:04:57 vpnbox %ASA-7-713906: IP = 1.1.1.1, Connection landed on tunnel_group 1.1.1.1

Aug  1 21:04:57 vpnbox %ASA-7-713906: Group = 1.1.1.1, IP = 1.1.1.1, Generating keys for Responder...

Aug  1 21:04:57 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256

Aug  1 21:04:57 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64

Aug  1 21:04:57 vpnbox %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing ID payload

Aug  1 21:04:57 vpnbox %ASA-7-714011: Group = 1.1.1.1, IP = 1.1.1.1, ID_IPV4_ADDR ID received#0121.1.1.1

Aug  1 21:04:57 vpnbox %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing hash payload

Aug  1 21:04:57 vpnbox %ASA-7-715076: Group = 1.1.1.1, IP = 1.1.1.1, Computing hash for ISAKMP

Aug  1 21:04:57 vpnbox %ASA-7-713906: IP = 1.1.1.1, Connection landed on tunnel_group 1.1.1.1

Aug  1 21:04:57 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing ID payload

Aug  1 21:04:57 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing hash payload

Aug  1 21:04:57 vpnbox %ASA-7-715076: Group = 1.1.1.1, IP = 1.1.1.1, Computing hash for ISAKMP

Aug  1 21:04:57 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing dpd vid payload

Aug  1 21:04:57 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84

Aug  1 21:04:57 vpnbox %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 1.1.1.1

Aug  1 21:04:57 vpnbox %ASA-5-713119: Group = 1.1.1.1, IP = 1.1.1.1, PHASE 1 COMPLETED

Aug  1 21:04:57 vpnbox %ASA-7-713121: IP = 1.1.1.1, Keep-alive type for this connection: DPD

Aug  1 21:04:57 vpnbox %ASA-7-715080: Group = 1.1.1.1, IP = 1.1.1.1, Starting P1 rekey timer: 48600 seconds.

Aug  1 21:04:57 vpnbox %ASA-7-720041: (VPN-Primary) Sending New Phase 1 SA message (type L2L, remote addr 1.1.1.1, my cookie 45AADBFC, his cookie A79B8DC8) to standby unit

Aug  1 21:04:58 vpnbox %ASA-7-714003: IP = 1.1.1.1, IKE Responder starting QM: msg id = cf91932a

Aug  1 21:04:58 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=cf91932a) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 280

Aug  1 21:04:58 vpnbox %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing hash payload

Aug  1 21:04:58 vpnbox %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing SA payload

Aug  1 21:04:58 vpnbox %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing nonce payload

Aug  1 21:04:58 vpnbox %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing ke payload

Aug  1 21:04:58 vpnbox %ASA-7-713906: Group = 1.1.1.1, IP = 1.1.1.1, processing ISA_KE for PFS in phase 2

Aug  1 21:04:58 vpnbox %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing ID payload

Aug  1 21:04:58 vpnbox %ASA-7-714011: Group = 1.1.1.1, IP = 1.1.1.1, ID_IPV4_ADDR ID received#0121.1.1.1

Aug  1 21:04:58 vpnbox %ASA-7-713025: Group = 1.1.1.1, IP = 1.1.1.1, Received remote Proxy Host data in ID Payload:  Address 1.1.1.1, Protocol 0, Port 0

Aug  1 21:04:58 vpnbox %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing ID payload

Aug  1 21:04:58 vpnbox %ASA-7-714011: Group = 1.1.1.1, IP = 1.1.1.1, ID_IPV4_ADDR ID received#01210.10.0.1

Aug  1 21:04:58 vpnbox %ASA-7-713024: Group = 1.1.1.1, IP = 1.1.1.1, Received local Proxy Host data in ID Payload:  Address 10.10.0.1, Protocol 0, Port 0

Aug  1 21:04:58 vpnbox %ASA-7-713906: Group = 1.1.1.1, IP = 1.1.1.1, QM IsRekeyed old sa not found by addr

Aug  1 21:04:58 vpnbox %ASA-7-713221: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, checking map = outside_map, seq = 20...

Aug  1 21:04:58 vpnbox %ASA-7-713222: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, map = outside_map, seq = 20, ACL does not match proxy IDs src:1.1.1.1 dst:10.10.0.1

Aug  1 21:04:58 vpnbox %ASA-7-713221: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, checking map = outside_map, seq = 30...

Aug  1 21:04:58 vpnbox %ASA-7-713222: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, map = outside_map, seq = 30, ACL does not match proxy IDs src:1.1.1.1 dst:10.10.0.1

Aug  1 21:04:58 vpnbox %ASA-7-713221: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, checking map = outside_map, seq = 40...

Aug  1 21:04:58 vpnbox %ASA-7-713222: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, map = outside_map, seq = 40, ACL does not match proxy IDs src:1.1.1.1 dst:10.10.0.1

Aug  1 21:04:58 vpnbox %ASA-7-713221: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, checking map = outside_map, seq = 50...

Aug  1 21:04:58 vpnbox %ASA-7-713222: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, map = outside_map, seq = 50, ACL does not match proxy IDs src:1.1.1.1 dst:10.10.0.1

Aug  1 21:04:58 vpnbox %ASA-7-713221: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, checking map = outside_map, seq = 60...

Aug  1 21:04:58 vpnbox %ASA-7-713222: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, map = outside_map, seq = 60, ACL does not match proxy IDs src:1.1.1.1 dst:10.10.0.1

Aug  1 21:04:58 vpnbox %ASA-7-713221: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, checking map = outside_map, seq = 70...

Aug  1 21:04:58 vpnbox %ASA-7-713223: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, map = outside_map, seq = 70, no ACL configured

Aug  1 21:04:58 vpnbox %ASA-7-713221: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, checking map = outside_map, seq = 80...

Aug  1 21:04:58 vpnbox %ASA-7-713222: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, map = outside_map, seq = 80, ACL does not match proxy IDs src:1.1.1.1 dst:10.10.0.1

Aug  1 21:04:58 vpnbox %ASA-7-713221: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, checking map = outside_map, seq = 90...

Aug  1 21:04:58 vpnbox %ASA-7-713222: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, map = outside_map, seq = 90, ACL does not match proxy IDs src:1.1.1.1 dst:10.10.0.1

Aug  1 21:04:58 vpnbox %ASA-7-713221: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, checking map = outside_map, seq = 100...

Aug  1 21:04:58 vpnbox %ASA-7-713222: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, map = outside_map, seq = 100, ACL does not match proxy IDs src:1.1.1.1 dst:10.10.0.1

Aug  1 21:04:58 vpnbox %ASA-7-713221: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, checking map = outside_map, seq = 102...

Aug  1 21:04:58 vpnbox %ASA-7-713225: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, map outside_map, seq = 102 is a successful match

Aug  1 21:04:58 vpnbox %ASA-7-713066: Group = 1.1.1.1, IP = 1.1.1.1, IKE Remote Peer configured for crypto map: outside_map

Aug  1 21:04:58 vpnbox %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing IPSec SA payload

Aug  1 21:04:58 vpnbox %ASA-7-715027: Group = 1.1.1.1, IP = 1.1.1.1, IPSec SA Proposal # 1, Transform # 1 acceptable  Matches global IPSec SA entry # 102

Aug  1 21:04:58 vpnbox %ASA-7-713906: Group = 1.1.1.1, IP = 1.1.1.1, IKE: requesting SPI!

Aug  1 21:04:58 vpnbox %ASA-7-715006: Group = 1.1.1.1, IP = 1.1.1.1, IKE got SPI from key engine: SPI = 0x38285b81

Aug  1 21:04:58 vpnbox %ASA-7-713906: Group = 1.1.1.1, IP = 1.1.1.1, oakley constucting quick mode

Aug  1 21:04:58 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing blank hash payload

Aug  1 21:04:58 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing IPSec SA payload

Aug  1 21:04:58 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing IPSec nonce payload

Aug  1 21:04:58 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing pfs ke payload

Aug  1 21:04:58 vpnbox %ASA-7-715001: Group = 1.1.1.1, IP = 1.1.1.1, constructing proxy ID

Aug  1 21:04:58 vpnbox %ASA-7-713906: Group = 1.1.1.1, IP = 1.1.1.1, Transmitting Proxy Id:#012  Remote host: 1.1.1.1  Protocol 0  Port 0#012  Local host:  10.10.0.1  Protocol 0  Port 0

Aug  1 21:04:58 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing qm hash payload

Aug  1 21:04:58 vpnbox %ASA-7-714005: Group = 1.1.1.1, IP = 1.1.1.1, IKE Responder sending 2nd QM pkt: msg id = cf91932a

Aug  1 21:04:58 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=cf91932a) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 284

Aug  1 21:04:58 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=cf91932a) with payloads : HDR + HASH (8) + NONE (0) total length : 52

Aug  1 21:04:58 vpnbox %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing hash payload

Aug  1 21:04:58 vpnbox %ASA-7-713906: Group = 1.1.1.1, IP = 1.1.1.1, loading all IPSEC SAs

Aug  1 21:04:58 vpnbox %ASA-7-715001: Group = 1.1.1.1, IP = 1.1.1.1, Generating Quick Mode Key!

Aug  1 21:04:58 vpnbox %ASA-7-715001: Group = 1.1.1.1, IP = 1.1.1.1, Generating Quick Mode Key!

Aug  1 21:04:58 vpnbox %ASA-5-713049: Group = 1.1.1.1, IP = 1.1.1.1, Security negotiation complete for LAN-to-LAN Group (1.1.1.1)  Responder, Inbound SPI = 0x38285b81, Outbound SPI = 0x023946a1

Aug  1 21:04:58 vpnbox %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x023946A1) between 2.2.2.2 and 1.1.1.1 (user= 1.1.1.1) has been created.

Aug  1 21:04:58 vpnbox %ASA-7-715007: Group = 1.1.1.1, IP = 1.1.1.1, IKE got a KEY_ADD msg for SA: SPI = 0x023946a1

Aug  1 21:04:58 vpnbox %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x38285B81) between 2.2.2.2 and 1.1.1.1 (user= 1.1.1.1) has been created.

Aug  1 21:04:58 vpnbox %ASA-7-715077: Group = 1.1.1.1, IP = 1.1.1.1, Pitcher: received KEY_UPDATE, spi 0x38285b81

Aug  1 21:04:58 vpnbox %ASA-7-715080: Group = 1.1.1.1, IP = 1.1.1.1, Starting P2 rekey timer: 3420 seconds.

Aug  1 21:04:58 vpnbox %ASA-5-713120: Group = 1.1.1.1, IP = 1.1.1.1, PHASE 2 COMPLETED (msgid=cf91932a)

Somehow the connection terminates shortly after the rekeying event.

According to the lines:

Aug  1 20:46:24 vpnbox %ASA-7-713906: IP = 1.1.1.1, Connection landed on tunnel_group 1.1.1.1

Aug  1 20:46:24 vpnbox %ASA-5-713119: Group = 1.1.1.1, IP = 1.1.1.1, PHASE 1 COMPLETED

Aug  1 20:46:24 vpnbox %ASA-7-713121: IP = 1.1.1.1, Keep-alive type for this connection: None

Aug  1 20:46:24 vpnbox %ASA-3-713122: IP = 1.1.1.1, Keep-alives configured on but peer does not support keep-alives (type = None)

Aug  1 20:46:24 vpnbox %ASA-7-715080: Group = 1.1.1.1, IP = 1.1.1.1, Starting P1 rekey timer: 48600 seconds.

Aug  1 20:46:24 vpnbox %ASA-7-720041: (VPN-Primary) Sending Phase 1 Rekey OK message (type L2L, remote addr 1.1.1.1, my cookie B92A6170, his cookie EF8B3D1F) to standby unit

I assume the phase 1 rekeying event was succesful.

Any help is greatly appreciated.

Message was edited by: Tom van Leeuwen Changed some highlighting for better visibility

2 Replies 2

adamkorab
Level 1
Level 1

Tom - any luck?  I'm experiencing this same behavior between an R65 peer and my ASA 5520 7.2(4)

Hi adamkorab,

Sorry for the late reply: I was on holiday.

It seems the other vpn device was not a Checkpoint. It's actually a GB-Ware from GTA (version 6.0.0).

After sniffing the isakmp traffic, the only thing that got my attention was the "Transform IKE Attribute Type Life-Duration".

(When talking about "the attribute" I mean the above Life-Duration attribute)

Scenario 1) Peer initiates tunnel

When the peer would initiate the tunnel, the peer would use the TV encoding of the attribute and we would reply using TV as well. When our ASA would initiate a rekeying event next, our ASA would use the TLV encoding of the attribute. The peer would respond using TLV as well with a tunnel termination shortly after that.

Scenario 2) We initiate tunnel

When our ASA would initiate the tunnel, it would use the TLV encoding of the attribute. The peer replies using TLV as well. When our ASA initiates a rekeying event next, our ASA would use the TLV encoding of the attribute. The peer would respond using TLV and all is well. The tunnel never terminates abnormally when we initiate the tunnel.

Our first guess was that the customer has a bug related to the TLV/TV encoding. I think it could be an ASA bug as well...

Quote from rfc2409:   
Attributes described as basic MUST NOT be encoded as variable.
Variable length  attributes MAY be encoded as basic attributes if
their value can fit into two octets. If this is the case, an
attribute offered as variable (or basic) by the initiator of this
protocol MAY be returned to the initiator as a basic (or variable).

The customer had a bug filed with their provider. There recommendations were to configure DPD. DPD does indeed what it should do... It would detect the tunnel was no longer established. Before DPD, our tunnel would terminate shortly after rekeying and the peer would think it was up. This state could exist very long (I could capture ESP packets from the peer for 40 minutes after termination...).

So, our peer has a workaround that they are happy with, we decided to drop this case.

Filing a TAC-case has come to mind, but due to limited time and experience with TAC, we decided not to pursue this path.

With kind regards,

Tom

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: