cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1020
Views
0
Helpful
1
Replies

ASA 5510 - weird ISAKMP SA behaviour

Debason1210
Level 1
Level 1

Hi everybody.

I have a problem with ASA 5510 8.0(4) and need your help

This is a remote-access VPN setup and it's functional, no problems here...

But I keep getting logs like this every few seconds:

Group = <censored>, Username = <censored>, IP = <censored>, Reaper overriding refCnt [0] and tunnelCnt [0] -- deleting SA!

Group = <censored>, Username = <censored>, IP = <censored>, SA lock refCnt = 0, bitmask = 00000080, p1_decrypt_cb = 0, qm_decrypt_cb = 0, qm_hash_cb = 0, qm_spi_ok_cb = 0, qm_dh_cb = 0, qm_secret_key_cb = 0, qm_encrypt_cb = 0

.

.

.

Group = <censored>, Username = <censored>, IP =  <censored>, IKE session establishment timed out [NullState],  aborting!

.

.

A bunch of first two and a few of the last logs. The thing is that the logs keep generating only for one source IP address, mine.

I use VPNC 0.5.3 on a CentOS machine to connect to ASA. Others that user Cisco VPN Client do not generate these logs/errors.

Here is IKE 1 configuration:

crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
  hash sha
group 2
lifetime 3600

Here is the output of sh isakmp sa deta

   Active SA: 17
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 17

1   IKE Peer: <your mama>

   Type    : user            Role    : responder
     Rekey   : no              State   : EV_PROCESS_SIG
    Encrypt : 3des            Hash    : SHA
    Auth    : preshared       Lifetime: 2147483
    Lifetime Remaining: 2140814113

Please notice the lifetime remaining. All 17 SAs are the same, and I cannot purge them with clear (crypto) isakmp sa...

There is NO active tunnels, no active ISAKMP SA, but the logs are still generated and shown alive.

It's a bug.


Anyone any ideas??

Except the obvious, trying other vpnc version or client.....

1 Reply 1

Debason1210
Level 1
Level 1

Sorry for wrong info, but accually I used a NetworkManager vpnc plugin to connect: NetworkManager-vpnc.1:0.7.0.99-1.el5.4