08-02-2011 02:03 AM
Hi,
I have a site-to-site vpn with a Customer. I have an ASA 5520 (8.4(1)) in active/standby and they have a Checkpoint R65.
The configuration on my side is:
access-list encdom_acl extended permit ip host 10.0.0.1 host 1.1.1.1
access-list encdom_acl extended permit ip host 10.10.0.1 host 1.1.1.1
access-list encdom_acl extended permit ip host 10.20.0.1 host 1.1.1.1
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 102 match address encdom_acl
crypto map outside_map 102 set pfs
crypto map outside_map 102 set peer 1.1.1.1
crypto map outside_map 102 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 102 set security-association lifetime seconds 3600
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key cisco123
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
We've checked whether the phase 1 and phase 2 lifetimes are the same and they are. Traffic flows correctly until shortly after a rekeying event. The debug log says the following:
Aug 1 20:46:24 vpnbox %ASA-7-713906: IP = 1.1.1.1, Starting phase 1 rekey
Aug 1 20:46:24 vpnbox %ASA-5-713041: IP = 1.1.1.1, IKE Initiator: Rekeying Phase 1, Intf outside, IKE Peer 1.1.1.1 local Proxy Address 0.0.0.0, remote Proxy Address 0.0.0.0, Crypto map (N/A)
Aug 1 20:46:24 vpnbox %ASA-7-720041: (VPN-Primary) Sending Phase 1 Rekey message (type L2L, remote addr 1.1.1.1, my cookie A8DB5D02, his cookie 0C6812B0) to standby unit
Aug 1 20:46:24 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing ISAKMP SA payload
Aug 1 20:46:24 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing NAT-Traversal VID ver 02 payload
Aug 1 20:46:24 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing NAT-Traversal VID ver 03 payload
Aug 1 20:46:24 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing NAT-Traversal VID ver RFC payload
Aug 1 20:46:24 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing Fragmentation VID + extended capabilities payload
Aug 1 20:46:24 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Aug 1 20:46:24 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Aug 1 20:46:24 vpnbox %ASA-7-715047: IP = 1.1.1.1, processing SA payload
Aug 1 20:46:24 vpnbox %ASA-7-713906: IP = 1.1.1.1, Oakley proposal is acceptable
Aug 1 20:46:24 vpnbox %ASA-7-715047: IP = 1.1.1.1, processing VID payload
Aug 1 20:46:24 vpnbox %ASA-7-715049: IP = 1.1.1.1, Received NAT-Traversal RFC VID
Aug 1 20:46:24 vpnbox %ASA-7-715047: IP = 1.1.1.1, processing VID payload
Aug 1 20:46:24 vpnbox %ASA-7-715049: IP = 1.1.1.1, Received Fragmentation VID
Aug 1 20:46:24 vpnbox %ASA-7-715064: IP = 1.1.1.1, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
Aug 1 20:46:24 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing ke payload
Aug 1 20:46:24 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing nonce payload
Aug 1 20:46:24 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing Cisco Unity VID payload
Aug 1 20:46:24 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing xauth V6 VID payload
Aug 1 20:46:24 vpnbox %ASA-7-715048: IP = 1.1.1.1, Send IOS VID
Aug 1 20:46:24 vpnbox %ASA-7-715038: IP = 1.1.1.1, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Aug 1 20:46:24 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing VID payload
Aug 1 20:46:24 vpnbox %ASA-7-715048: IP = 1.1.1.1, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Aug 1 20:46:24 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing NAT-Discovery payload
Aug 1 20:46:24 vpnbox %ASA-7-713906: IP = 1.1.1.1, computing NAT Discovery hash
Aug 1 20:46:24 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing NAT-Discovery payload
Aug 1 20:46:24 vpnbox %ASA-7-713906: IP = 1.1.1.1, computing NAT Discovery hash
Aug 1 20:46:24 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
Aug 1 20:46:24 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 228
Aug 1 20:46:24 vpnbox %ASA-7-715047: IP = 1.1.1.1, processing ke payload
Aug 1 20:46:24 vpnbox %ASA-7-715047: IP = 1.1.1.1, processing ISA_KE payload
Aug 1 20:46:24 vpnbox %ASA-7-715047: IP = 1.1.1.1, processing nonce payload
Aug 1 20:46:24 vpnbox %ASA-7-715047: IP = 1.1.1.1, processing NAT-Discovery payload
Aug 1 20:46:24 vpnbox %ASA-7-713906: IP = 1.1.1.1, computing NAT Discovery hash
Aug 1 20:46:24 vpnbox %ASA-7-715047: IP = 1.1.1.1, processing NAT-Discovery payload
Aug 1 20:46:24 vpnbox %ASA-7-713906: IP = 1.1.1.1, computing NAT Discovery hash
Aug 1 20:46:24 vpnbox %ASA-7-713906: IP = 1.1.1.1, Connection landed on tunnel_group 1.1.1.1
Aug 1 20:46:24 vpnbox %ASA-7-713906: Group = 1.1.1.1, IP = 1.1.1.1, Generating keys for Initiator...
Aug 1 20:46:24 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing ID payload
Aug 1 20:46:24 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing hash payload
Aug 1 20:46:24 vpnbox %ASA-7-715076: Group = 1.1.1.1, IP = 1.1.1.1, Computing hash for ISAKMP
Aug 1 20:46:24 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing dpd vid payload
Aug 1 20:46:24 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
Aug 1 20:46:24 vpnbox %ASA-6-713172: Group = 1.1.1.1, IP = 1.1.1.1, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Aug 1 20:46:24 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Aug 1 20:46:24 vpnbox %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing ID payload
Aug 1 20:46:24 vpnbox %ASA-7-714011: Group = 1.1.1.1, IP = 1.1.1.1, ID_IPV4_ADDR ID received#0121.1.1.1
Aug 1 20:46:24 vpnbox %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing hash payload
Aug 1 20:46:24 vpnbox %ASA-7-715076: Group = 1.1.1.1, IP = 1.1.1.1, Computing hash for ISAKMP
Aug 1 20:46:24 vpnbox %ASA-7-713906: IP = 1.1.1.1, Connection landed on tunnel_group 1.1.1.1
Aug 1 20:46:24 vpnbox %ASA-5-713119: Group = 1.1.1.1, IP = 1.1.1.1, PHASE 1 COMPLETED
Aug 1 20:46:24 vpnbox %ASA-7-713121: IP = 1.1.1.1, Keep-alive type for this connection: None
Aug 1 20:46:24 vpnbox %ASA-3-713122: IP = 1.1.1.1, Keep-alives configured on but peer does not support keep-alives (type = None)
Aug 1 20:46:24 vpnbox %ASA-7-715080: Group = 1.1.1.1, IP = 1.1.1.1, Starting P1 rekey timer: 48600 seconds.
Aug 1 20:46:24 vpnbox %ASA-7-720041: (VPN-Primary) Sending Phase 1 Rekey OK message (type L2L, remote addr 1.1.1.1, my cookie B92A6170, his cookie EF8B3D1F) to standby unit
Aug 1 20:46:33 vpnbox %ASA-7-715036: Group = 1.1.1.1, IP = 1.1.1.1, Sending keep-alive of type DPD R-U-THERE (seq number 0x7adaba4f)
Aug 1 20:46:33 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing blank hash payload
Aug 1 20:46:33 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing qm hash payload
Aug 1 20:46:33 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=65bde8ed) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Aug 1 20:46:34 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=8a001f32) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Aug 1 20:46:34 vpnbox %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing hash payload
Aug 1 20:46:34 vpnbox %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing notify payload
Aug 1 20:46:34 vpnbox %ASA-7-715075: Group = 1.1.1.1, IP = 1.1.1.1, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x7adaba4f)
Aug 1 20:46:35 vpnbox %ASA-6-302013: Built inbound TCP connection 21457260 for outside:1.1.1.1/38303 (10.32.0.15/38303) to inside:10.10.0.1/80 (10.10.0.1/80)
Aug 1 20:46:35 vpnbox %ASA-6-302013: Built inbound TCP connection 21457261 for outside:1.1.1.1/40618 (10.32.0.15/40618) to inside:10.10.0.1/443 (10.10.0.1/443)
Aug 1 20:46:36 vpnbox %ASA-6-302014: Teardown TCP connection 21457260 for outside:1.1.1.1/38303 to inside:10.10.0.1/80 duration 0:00:00 bytes 13404 TCP FINs
Aug 1 20:46:36 vpnbox %ASA-6-302014: Teardown TCP connection 21457261 for outside:1.1.1.1/40618 to inside:10.10.0.1/443 duration 0:00:00 bytes 19272 TCP FINs
Aug 1 20:46:43 vpnbox %ASA-6-302013: Built inbound TCP connection 21457273 for outside:1.1.1.1/40621 (10.32.0.15/40621) to inside:10.10.0.1/443 (10.10.0.1/443)
Aug 1 20:46:44 vpnbox %ASA-6-302014: Teardown TCP connection 21457273 for outside:1.1.1.1/40621 to inside:10.10.0.1/443 duration 0:00:00 bytes 6404 TCP FINs
Aug 1 20:46:46 vpnbox %ASA-6-302013: Built inbound TCP connection 21457290 for outside:1.1.1.1/38310 (10.32.0.15/38310) to inside:10.10.0.1/80 (10.10.0.1/80)
Aug 1 20:46:46 vpnbox %ASA-6-302014: Teardown TCP connection 21457290 for outside:1.1.1.1/38310 to inside:10.10.0.1/80 duration 0:00:00 bytes 666 TCP FINs
Aug 1 20:47:03 vpnbox %ASA-7-715036: Group = 1.1.1.1, IP = 1.1.1.1, Sending keep-alive of type DPD R-U-THERE (seq number 0x7adaba50)
Aug 1 20:47:03 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing blank hash payload
Aug 1 20:47:03 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing qm hash payload
Aug 1 20:47:03 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=2ca4f44d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Aug 1 20:47:03 vpnbox %ASA-7-720041: (VPN-Primary) Sending Phase 1 SA Expired message (type L2L, remote addr 1.1.1.1, my cookie A8DB5D02, his cookie 0C6812B0) to standby unit
Aug 1 20:47:03 vpnbox %ASA-7-713906: Group = 1.1.1.1, IP = 1.1.1.1, IKE SA MM:a8db5d02 terminating: flags 0x01000006, refcnt 0, tuncnt 0
Aug 1 20:47:03 vpnbox %ASA-7-713906: Group = 1.1.1.1, IP = 1.1.1.1, sending delete/delete with reason message
Aug 1 20:47:03 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing blank hash payload
Aug 1 20:47:03 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing IKE delete payload
Aug 1 20:47:03 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing qm hash payload
Aug 1 20:47:03 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=c7f1471b) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Aug 1 20:47:03 vpnbox %ASA-7-720041: (VPN-Primary) Sending Phase 1 Activate SA message (type L2L, remote addr 1.1.1.1, my cookie B92A6170, his cookie EF8B3D1F) to standby unit
Aug 1 20:47:03 vpnbox %ASA-5-713904: IP = 1.1.1.1, Received encrypted packet with no matching SA, dropping
Aug 1 20:47:03 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=c7d335d0) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
Aug 1 20:47:03 vpnbox %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing hash payload
Aug 1 20:47:03 vpnbox %ASA-7-713906: Group = 1.1.1.1, IP = 1.1.1.1, processing delete
Aug 1 20:47:03 vpnbox %ASA-5-713050: Group = 1.1.1.1, IP = 1.1.1.1, Connection terminated for peer 1.1.1.1. Reason: Peer Terminate Remote Proxy 10.10.0.1, Local Proxy 1.1.1.1
Aug 1 20:47:03 vpnbox %ASA-7-713906: Group = 1.1.1.1, IP = 1.1.1.1, Active unit receives a delete event for remote peer 1.1.1.1.#012
Aug 1 20:47:03 vpnbox %ASA-7-715009: Group = 1.1.1.1, IP = 1.1.1.1, IKE Deleting SA: Remote Proxy 1.1.1.1, Local Proxy 10.10.0.1
Aug 1 20:47:03 vpnbox %ASA-7-713906: Group = 1.1.1.1, IP = 1.1.1.1, IKE SA MM:b92a6170 rcv'd Terminate: state MM_ACTIVE flags 0x00000062, refcnt 1, tuncnt 0
Aug 1 20:47:03 vpnbox %ASA-7-720041: (VPN-Primary) Sending Phase 1 Terminate message (type L2L, remote addr 1.1.1.1, my cookie B92A6170, his cookie EF8B3D1F) to standby unit
Aug 1 20:47:03 vpnbox %ASA-7-713906: Group = 1.1.1.1, IP = 1.1.1.1, IKE SA MM:b92a6170 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Aug 1 20:47:03 vpnbox %ASA-7-713906: Group = 1.1.1.1, IP = 1.1.1.1, sending delete/delete with reason message
Aug 1 20:47:03 vpnbox %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x0359CA26) between 2.2.2.2 and 1.1.1.1 (user= 1.1.1.1) has been deleted.
Aug 1 20:47:03 vpnbox %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x1D4EF868) between 1.1.1.1 and 2.2.2.2 (user= 1.1.1.1) has been deleted.
Aug 1 20:47:03 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing blank hash payload
Aug 1 20:47:03 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing IKE delete payload
Aug 1 20:47:03 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing qm hash payload
Aug 1 20:47:03 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=cbecc104) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Aug 1 20:47:04 vpnbox %ASA-5-713259: Group = 1.1.1.1, IP = 1.1.1.1, Session is being torn down. Reason: User Requested
Aug 1 20:47:04 vpnbox %ASA-4-113019: Group = 1.1.1.1, Username = 1.1.1.1, IP = 1.1.1.1, Session disconnected. Session Type: LAN-to-LAN, Duration: 13h:30m:39s, Bytes xmt: 65322487, Bytes rcv: 6843774, Reason: User Requested
Aug 1 20:47:05 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:47:07 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:47:10 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:47:10 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:47:11 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:47:11 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:47:12 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:47:14 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:47:16 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:47:37 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:47:40 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:47:40 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:47:40 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:47:41 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:47:41 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:47:42 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:47:46 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:47:49 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:48:10 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:48:10 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:48:10 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:48:11 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:48:11 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:48:12 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:48:13 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:48:19 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:48:22 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:48:40 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:48:40 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:48:41 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:48:41 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:48:42 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:48:43 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:48:45 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:48:52 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:48:54 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:49:06 vpnbox %ASA-6-302016: Teardown UDP connection 21446435 for outside:1.1.1.1/500 to identity:2.2.2.2/500 duration 1:00:01 bytes 24976
Aug 1 20:49:06 vpnbox %ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 13:32:38
Aug 1 20:49:07 vpnbox %ASA-7-609001: Built local-host outside:1.1.1.1
Aug 1 20:49:07 vpnbox %ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 0:00:00
Aug 1 20:49:09 vpnbox %ASA-7-609001: Built local-host outside:1.1.1.1
Aug 1 20:49:09 vpnbox %ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 0:00:00
Aug 1 20:49:10 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:49:10 vpnbox %ASA-7-609001: Built local-host outside:1.1.1.1
Aug 1 20:49:10 vpnbox %ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 0:00:00
Aug 1 20:49:10 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:49:11 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 20:49:11 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
< this continues a while until: >
Aug 1 21:04:42 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 21:04:42 vpnbox %ASA-7-710006: ESP request discarded from 1.1.1.1 to outside:2.2.2.2
Aug 1 21:04:43 vpnbox %ASA-7-609001: Built local-host outside:1.1.1.1
Aug 1 21:04:43 vpnbox %ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 0:00:00
Aug 1 21:04:45 vpnbox %ASA-7-609001: Built local-host outside:1.1.1.1
Aug 1 21:04:45 vpnbox %ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 0:00:00
Aug 1 21:04:46 vpnbox %ASA-7-609001: Built local-host outside:1.1.1.1
Aug 1 21:04:46 vpnbox %ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 0:00:00
Aug 1 21:04:48 vpnbox %ASA-7-609001: Built local-host outside:1.1.1.1
Aug 1 21:04:48 vpnbox %ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 0:00:00
Aug 1 21:04:49 vpnbox %ASA-7-609001: Built local-host outside:1.1.1.1
Aug 1 21:04:49 vpnbox %ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 0:00:00
Aug 1 21:04:51 vpnbox %ASA-7-609001: Built local-host outside:1.1.1.1
Aug 1 21:04:51 vpnbox %ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 0:00:00
Aug 1 21:04:52 vpnbox %ASA-7-609001: Built local-host outside:1.1.1.1
Aug 1 21:04:52 vpnbox %ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 0:00:00
Aug 1 21:04:54 vpnbox %ASA-7-609001: Built local-host outside:1.1.1.1
Aug 1 21:04:54 vpnbox %ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 0:00:00
Aug 1 21:04:56 vpnbox %ASA-7-609001: Built local-host outside:1.1.1.1
Aug 1 21:04:56 vpnbox %ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 0:00:00
Aug 1 21:04:57 vpnbox %ASA-7-609001: Built local-host outside:1.1.1.1
Aug 1 21:04:57 vpnbox %ASA-6-302015: Built inbound UDP connection 21459974 for outside:1.1.1.1/500 (1.1.1.1/500) to identity:2.2.2.2/500 (2.2.2.2/500)
Aug 1 21:04:57 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 100
Aug 1 21:04:57 vpnbox %ASA-7-715047: IP = 1.1.1.1, processing SA payload
Aug 1 21:04:57 vpnbox %ASA-7-713906: IP = 1.1.1.1, Oakley proposal is acceptable
Aug 1 21:04:57 vpnbox %ASA-7-715047: IP = 1.1.1.1, processing VID payload
Aug 1 21:04:57 vpnbox %ASA-7-715049: IP = 1.1.1.1, Received DPD VID
Aug 1 21:04:57 vpnbox %ASA-7-715047: IP = 1.1.1.1, processing IKE SA payload
Aug 1 21:04:57 vpnbox %ASA-7-715028: IP = 1.1.1.1, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 11
Aug 1 21:04:57 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing ISAKMP SA payload
Aug 1 21:04:57 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing Fragmentation VID + extended capabilities payload
Aug 1 21:04:57 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104
Aug 1 21:04:57 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 180
Aug 1 21:04:57 vpnbox %ASA-7-715047: IP = 1.1.1.1, processing ke payload
Aug 1 21:04:57 vpnbox %ASA-7-715047: IP = 1.1.1.1, processing ISA_KE payload
Aug 1 21:04:57 vpnbox %ASA-7-715047: IP = 1.1.1.1, processing nonce payload
Aug 1 21:04:57 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing ke payload
Aug 1 21:04:57 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing nonce payload
Aug 1 21:04:57 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing Cisco Unity VID payload
Aug 1 21:04:57 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing xauth V6 VID payload
Aug 1 21:04:57 vpnbox %ASA-7-715048: IP = 1.1.1.1, Send IOS VID
Aug 1 21:04:57 vpnbox %ASA-7-715038: IP = 1.1.1.1, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Aug 1 21:04:57 vpnbox %ASA-7-715046: IP = 1.1.1.1, constructing VID payload
Aug 1 21:04:57 vpnbox %ASA-7-715048: IP = 1.1.1.1, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Aug 1 21:04:57 vpnbox %ASA-7-713906: IP = 1.1.1.1, Connection landed on tunnel_group 1.1.1.1
Aug 1 21:04:57 vpnbox %ASA-7-713906: Group = 1.1.1.1, IP = 1.1.1.1, Generating keys for Responder...
Aug 1 21:04:57 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Aug 1 21:04:57 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Aug 1 21:04:57 vpnbox %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing ID payload
Aug 1 21:04:57 vpnbox %ASA-7-714011: Group = 1.1.1.1, IP = 1.1.1.1, ID_IPV4_ADDR ID received#0121.1.1.1
Aug 1 21:04:57 vpnbox %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing hash payload
Aug 1 21:04:57 vpnbox %ASA-7-715076: Group = 1.1.1.1, IP = 1.1.1.1, Computing hash for ISAKMP
Aug 1 21:04:57 vpnbox %ASA-7-713906: IP = 1.1.1.1, Connection landed on tunnel_group 1.1.1.1
Aug 1 21:04:57 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing ID payload
Aug 1 21:04:57 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing hash payload
Aug 1 21:04:57 vpnbox %ASA-7-715076: Group = 1.1.1.1, IP = 1.1.1.1, Computing hash for ISAKMP
Aug 1 21:04:57 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing dpd vid payload
Aug 1 21:04:57 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
Aug 1 21:04:57 vpnbox %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 1.1.1.1
Aug 1 21:04:57 vpnbox %ASA-5-713119: Group = 1.1.1.1, IP = 1.1.1.1, PHASE 1 COMPLETED
Aug 1 21:04:57 vpnbox %ASA-7-713121: IP = 1.1.1.1, Keep-alive type for this connection: DPD
Aug 1 21:04:57 vpnbox %ASA-7-715080: Group = 1.1.1.1, IP = 1.1.1.1, Starting P1 rekey timer: 48600 seconds.
Aug 1 21:04:57 vpnbox %ASA-7-720041: (VPN-Primary) Sending New Phase 1 SA message (type L2L, remote addr 1.1.1.1, my cookie 45AADBFC, his cookie A79B8DC8) to standby unit
Aug 1 21:04:58 vpnbox %ASA-7-714003: IP = 1.1.1.1, IKE Responder starting QM: msg id = cf91932a
Aug 1 21:04:58 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=cf91932a) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 280
Aug 1 21:04:58 vpnbox %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing hash payload
Aug 1 21:04:58 vpnbox %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing SA payload
Aug 1 21:04:58 vpnbox %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing nonce payload
Aug 1 21:04:58 vpnbox %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing ke payload
Aug 1 21:04:58 vpnbox %ASA-7-713906: Group = 1.1.1.1, IP = 1.1.1.1, processing ISA_KE for PFS in phase 2
Aug 1 21:04:58 vpnbox %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing ID payload
Aug 1 21:04:58 vpnbox %ASA-7-714011: Group = 1.1.1.1, IP = 1.1.1.1, ID_IPV4_ADDR ID received#0121.1.1.1
Aug 1 21:04:58 vpnbox %ASA-7-713025: Group = 1.1.1.1, IP = 1.1.1.1, Received remote Proxy Host data in ID Payload: Address 1.1.1.1, Protocol 0, Port 0
Aug 1 21:04:58 vpnbox %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing ID payload
Aug 1 21:04:58 vpnbox %ASA-7-714011: Group = 1.1.1.1, IP = 1.1.1.1, ID_IPV4_ADDR ID received#01210.10.0.1
Aug 1 21:04:58 vpnbox %ASA-7-713024: Group = 1.1.1.1, IP = 1.1.1.1, Received local Proxy Host data in ID Payload: Address 10.10.0.1, Protocol 0, Port 0
Aug 1 21:04:58 vpnbox %ASA-7-713906: Group = 1.1.1.1, IP = 1.1.1.1, QM IsRekeyed old sa not found by addr
Aug 1 21:04:58 vpnbox %ASA-7-713221: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, checking map = outside_map, seq = 20...
Aug 1 21:04:58 vpnbox %ASA-7-713222: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, map = outside_map, seq = 20, ACL does not match proxy IDs src:1.1.1.1 dst:10.10.0.1
Aug 1 21:04:58 vpnbox %ASA-7-713221: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, checking map = outside_map, seq = 30...
Aug 1 21:04:58 vpnbox %ASA-7-713222: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, map = outside_map, seq = 30, ACL does not match proxy IDs src:1.1.1.1 dst:10.10.0.1
Aug 1 21:04:58 vpnbox %ASA-7-713221: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, checking map = outside_map, seq = 40...
Aug 1 21:04:58 vpnbox %ASA-7-713222: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, map = outside_map, seq = 40, ACL does not match proxy IDs src:1.1.1.1 dst:10.10.0.1
Aug 1 21:04:58 vpnbox %ASA-7-713221: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, checking map = outside_map, seq = 50...
Aug 1 21:04:58 vpnbox %ASA-7-713222: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, map = outside_map, seq = 50, ACL does not match proxy IDs src:1.1.1.1 dst:10.10.0.1
Aug 1 21:04:58 vpnbox %ASA-7-713221: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, checking map = outside_map, seq = 60...
Aug 1 21:04:58 vpnbox %ASA-7-713222: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, map = outside_map, seq = 60, ACL does not match proxy IDs src:1.1.1.1 dst:10.10.0.1
Aug 1 21:04:58 vpnbox %ASA-7-713221: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, checking map = outside_map, seq = 70...
Aug 1 21:04:58 vpnbox %ASA-7-713223: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, map = outside_map, seq = 70, no ACL configured
Aug 1 21:04:58 vpnbox %ASA-7-713221: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, checking map = outside_map, seq = 80...
Aug 1 21:04:58 vpnbox %ASA-7-713222: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, map = outside_map, seq = 80, ACL does not match proxy IDs src:1.1.1.1 dst:10.10.0.1
Aug 1 21:04:58 vpnbox %ASA-7-713221: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, checking map = outside_map, seq = 90...
Aug 1 21:04:58 vpnbox %ASA-7-713222: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, map = outside_map, seq = 90, ACL does not match proxy IDs src:1.1.1.1 dst:10.10.0.1
Aug 1 21:04:58 vpnbox %ASA-7-713221: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, checking map = outside_map, seq = 100...
Aug 1 21:04:58 vpnbox %ASA-7-713222: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, map = outside_map, seq = 100, ACL does not match proxy IDs src:1.1.1.1 dst:10.10.0.1
Aug 1 21:04:58 vpnbox %ASA-7-713221: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, checking map = outside_map, seq = 102...
Aug 1 21:04:58 vpnbox %ASA-7-713225: Group = 1.1.1.1, IP = 1.1.1.1, Static Crypto Map check, map outside_map, seq = 102 is a successful match
Aug 1 21:04:58 vpnbox %ASA-7-713066: Group = 1.1.1.1, IP = 1.1.1.1, IKE Remote Peer configured for crypto map: outside_map
Aug 1 21:04:58 vpnbox %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing IPSec SA payload
Aug 1 21:04:58 vpnbox %ASA-7-715027: Group = 1.1.1.1, IP = 1.1.1.1, IPSec SA Proposal # 1, Transform # 1 acceptable Matches global IPSec SA entry # 102
Aug 1 21:04:58 vpnbox %ASA-7-713906: Group = 1.1.1.1, IP = 1.1.1.1, IKE: requesting SPI!
Aug 1 21:04:58 vpnbox %ASA-7-715006: Group = 1.1.1.1, IP = 1.1.1.1, IKE got SPI from key engine: SPI = 0x38285b81
Aug 1 21:04:58 vpnbox %ASA-7-713906: Group = 1.1.1.1, IP = 1.1.1.1, oakley constucting quick mode
Aug 1 21:04:58 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing blank hash payload
Aug 1 21:04:58 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing IPSec SA payload
Aug 1 21:04:58 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing IPSec nonce payload
Aug 1 21:04:58 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing pfs ke payload
Aug 1 21:04:58 vpnbox %ASA-7-715001: Group = 1.1.1.1, IP = 1.1.1.1, constructing proxy ID
Aug 1 21:04:58 vpnbox %ASA-7-713906: Group = 1.1.1.1, IP = 1.1.1.1, Transmitting Proxy Id:#012 Remote host: 1.1.1.1 Protocol 0 Port 0#012 Local host: 10.10.0.1 Protocol 0 Port 0
Aug 1 21:04:58 vpnbox %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing qm hash payload
Aug 1 21:04:58 vpnbox %ASA-7-714005: Group = 1.1.1.1, IP = 1.1.1.1, IKE Responder sending 2nd QM pkt: msg id = cf91932a
Aug 1 21:04:58 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=cf91932a) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 284
Aug 1 21:04:58 vpnbox %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=cf91932a) with payloads : HDR + HASH (8) + NONE (0) total length : 52
Aug 1 21:04:58 vpnbox %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing hash payload
Aug 1 21:04:58 vpnbox %ASA-7-713906: Group = 1.1.1.1, IP = 1.1.1.1, loading all IPSEC SAs
Aug 1 21:04:58 vpnbox %ASA-7-715001: Group = 1.1.1.1, IP = 1.1.1.1, Generating Quick Mode Key!
Aug 1 21:04:58 vpnbox %ASA-7-715001: Group = 1.1.1.1, IP = 1.1.1.1, Generating Quick Mode Key!
Aug 1 21:04:58 vpnbox %ASA-5-713049: Group = 1.1.1.1, IP = 1.1.1.1, Security negotiation complete for LAN-to-LAN Group (1.1.1.1) Responder, Inbound SPI = 0x38285b81, Outbound SPI = 0x023946a1
Aug 1 21:04:58 vpnbox %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x023946A1) between 2.2.2.2 and 1.1.1.1 (user= 1.1.1.1) has been created.
Aug 1 21:04:58 vpnbox %ASA-7-715007: Group = 1.1.1.1, IP = 1.1.1.1, IKE got a KEY_ADD msg for SA: SPI = 0x023946a1
Aug 1 21:04:58 vpnbox %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x38285B81) between 2.2.2.2 and 1.1.1.1 (user= 1.1.1.1) has been created.
Aug 1 21:04:58 vpnbox %ASA-7-715077: Group = 1.1.1.1, IP = 1.1.1.1, Pitcher: received KEY_UPDATE, spi 0x38285b81
Aug 1 21:04:58 vpnbox %ASA-7-715080: Group = 1.1.1.1, IP = 1.1.1.1, Starting P2 rekey timer: 3420 seconds.
Aug 1 21:04:58 vpnbox %ASA-5-713120: Group = 1.1.1.1, IP = 1.1.1.1, PHASE 2 COMPLETED (msgid=cf91932a)
Somehow the connection terminates shortly after the rekeying event.
According to the lines:
Aug 1 20:46:24 vpnbox %ASA-7-713906: IP = 1.1.1.1, Connection landed on tunnel_group 1.1.1.1
Aug 1 20:46:24 vpnbox %ASA-5-713119: Group = 1.1.1.1, IP = 1.1.1.1, PHASE 1 COMPLETED
Aug 1 20:46:24 vpnbox %ASA-7-713121: IP = 1.1.1.1, Keep-alive type for this connection: None
Aug 1 20:46:24 vpnbox %ASA-3-713122: IP = 1.1.1.1, Keep-alives configured on but peer does not support keep-alives (type = None)
Aug 1 20:46:24 vpnbox %ASA-7-715080: Group = 1.1.1.1, IP = 1.1.1.1, Starting P1 rekey timer: 48600 seconds.
Aug 1 20:46:24 vpnbox %ASA-7-720041: (VPN-Primary) Sending Phase 1 Rekey OK message (type L2L, remote addr 1.1.1.1, my cookie B92A6170, his cookie EF8B3D1F) to standby unit
I assume the phase 1 rekeying event was succesful.
Any help is greatly appreciated.
Message was edited by: Tom van Leeuwen Changed some highlighting for better visibility
09-20-2011 04:06 PM
Tom - any luck? I'm experiencing this same behavior between an R65 peer and my ASA 5520 7.2(4)
10-12-2011 05:47 AM
Hi adamkorab,
Sorry for the late reply: I was on holiday.
It seems the other vpn device was not a Checkpoint. It's actually a GB-Ware from GTA (version 6.0.0).
After sniffing the isakmp traffic, the only thing that got my attention was the "Transform IKE Attribute Type Life-Duration".
(When talking about "the attribute" I mean the above Life-Duration attribute)
Scenario 1) Peer initiates tunnel
When the peer would initiate the tunnel, the peer would use the TV encoding of the attribute and we would reply using TV as well. When our ASA would initiate a rekeying event next, our ASA would use the TLV encoding of the attribute. The peer would respond using TLV as well with a tunnel termination shortly after that.
Scenario 2) We initiate tunnel
When our ASA would initiate the tunnel, it would use the TLV encoding of the attribute. The peer replies using TLV as well. When our ASA initiates a rekeying event next, our ASA would use the TLV encoding of the attribute. The peer would respond using TLV and all is well. The tunnel never terminates abnormally when we initiate the tunnel.
Our first guess was that the customer has a bug related to the TLV/TV encoding. I think it could be an ASA bug as well...
Quote from rfc2409: Attributes described as basic MUST NOT be encoded as variable. Variable length attributes MAY be encoded as basic attributes if their value can fit into two octets. If this is the case, an attribute offered as variable (or basic) by the initiator of this protocol MAY be returned to the initiator as a basic (or variable).
The customer had a bug filed with their provider. There recommendations were to configure DPD. DPD does indeed what it should do... It would detect the tunnel was no longer established. Before DPD, our tunnel would terminate shortly after rekeying and the peer would think it was up. This state could exist very long (I could capture ESP packets from the peer for 40 minutes after termination...).
So, our peer has a workaround that they are happy with, we decided to drop this case.
Filing a TAC-case has come to mind, but due to limited time and experience with TAC, we decided not to pursue this path.
With kind regards,
Tom
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: