Re:ASA 5505 Site to Site VPN rekey

geoff.cathcart · ‎12-07-2012

I have a5505 configured to support a number of site to site links. One of these has a problem with rekeying. Running debug I see the entres:

Dec 04 10:37:58 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, Starting phase 1 rekey

Dec 04 10:37:58 [IKEv1]: IP = AAA.AAA.AAA.AAA, IKE Initiator: Rekeying Phase 1, Intf Servers, IKE Peer XXX.XXX.XXX.XXX local Proxy Address N/A, remote Proxy Address N/A, Crypto map (N/A)

The VPN is not configured on the Interface Servers but on another Interface (outside). It has been completely rebuilt recently. Is this a problem or a ghost of some sort?

anujsharma85 · ‎12-07-2012

Is this debug message cosmetic or is it causing any issue?

If this is cosmetic then I believe we still have some crypto configuration left on interface Server which could be the cause of the issue. A detailed look at the configuration might be able to throw some more light on it.

Regards,

Anuj

geoff.cathcart · ‎12-08-2012

There is an issue with the VPN - odd behaviour on rekey with a Juniper SRX where the VPN does not rekey properly but drops and rebuilds every time. On the Cisco side this is the only unusual thing I can find in the debugs. As you say, I'm trying to determine if it is cosmetic and I can ignore and focus on the Juniper, or whether there is an underlying issue I need to spend more time on. Other VPNs on the same ASA (including links to another Juniper) are rekeying normally.

anujsharma85 · ‎12-08-2012

In that case I will require proper detailed debugs for this specific tunnel from time of occurrence of issue. (debug crypto isakmp and ipsec at 200 level)

Only by looking at this log snippet it could be a crypto ACL mismatch as well. Crypto ACLs at both ends have to be exact mirror image of each other, if the subnet prefixes are not even same then it could cause an issue leading to device with higher prefix able to successful rekey only.

Regards,
Anuj

Sent from Cisco Technical Support Android App

geoff.cathcart · ‎12-13-2012

Ok, symptoms are that the Phase1 rekey ss started early (18 hours rather than full 24 specified). Rekey always fails, but VPN immediately rebuilds without error.

Phase 1 is AES-256, Preshared keys, Hash SHA1 DH Group2 Rekey 86400 seconds.

Logs at 100:

Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, Starting phase 1 rekey

Dec 14 02:09:45 [IKEv1]: IP = AAA.AAA.AAA.AAA, IKE Initiator: Rekeying Phase 1, I

ntf Servers, IKE Peer AAA.AAA.AAA.AAA local Proxy Address N/A, remote Proxy Addr

ess N/A, Crypto map (N/A)

Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing ISAKMP SA paylo

ad

Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing NAT-Traversal V

ID ver 02 payload

Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing NAT-Traversal V

ID ver 03 payload

Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing NAT-Traversal V

ID ver RFC payload

Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing Fragmentation V

ID + extended capabilities payload

Dec 14 02:09:45 [IKEv1]: IP = AAA.AAA.AAA.AAA, IKE_DECODE SENDING Message (msgid=

0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VEND

OR (13) + NONE (0) total length : 172

Dec 14 02:09:45 [IKEv1]: IP = AAA.AAA.AAA.AAA, IKE_DECODE RECEIVED Message (msgid

=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VEN

DOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) tota

l length : 260

Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, processing SA payload

Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, Oakley proposal is acceptabl

e

Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, processing VID payload

Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, Received DPD VID

Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, processing VID payload

Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, Received NAT-Traversal ver 0

2 VID

Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, processing VID payload

Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, Received NAT-Traversal ver 0

3 VID

Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing ke payload

Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing nonce payload

Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing Cisco Unity VID

payload

Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing xauth V6 VID pa

yload

Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, Send IOS VID

Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, Constructing ASA spoofing IO

S Vendor ID payload (version: 1.0.0, capabilities: 20000409)

Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing VID payload

Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, Send Altiga/Cisco VPN3000/Ci

sco ASA GW VID

Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing NAT-Discovery p

ayload

Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, computing NAT Discovery hash

Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing NAT-Discovery p

ayload

Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, computing NAT Discovery hash

Dec 14 02:09:45 [IKEv1]: IP = AAA.AAA.AAA.AAA, IKE_DECODE SENDING Message (msgid=

0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDO

R (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304

Dec 14 02:09:45 [IKEv1]: IP = AAA.AAA.AAA.AAA, IKE_DECODE RECEIVED Message (msgid

=a62822cf) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length

: 80

The VPN then rebuild normally as far as I can see.