07-17-2008
01:07 AM
- last edited on
02-21-2020
11:47 PM
by
cc_security_adm
Greetings we are running a Cisco ASA 5510 with 8.0.3(19) code and have several site to site vpn connections for various partner access.
One partner is using a Watchguard x550e, the site to site tunnel is configured as follows:
IKE Phase 1: 3Des/Sha/DH Group 2
IKE Phase 2: 3Des/Sha/DH Group 2
IKE is using aggressive mode and PFS has been disabled.
The VPN establishes just fine and stays up for the set SA Lifetime being the default of 8 hours, but when the 8 hour limit is reached the VPN drops out and cannot re-key and re-establish the connection, in order to get the connection back up the link has to be torn down at one end and re-created manually.
This is what happens after the 8 hour period.
Group = 77.61.115.51, IP = 77.61.115.51, Received non-routine Notify message: Payload malformed (16)
Group = 77.61.115.51, IP = 77.61.115.51, De-queuing KEY-ACQUIRE messages that were left pending.
IP = 77.61.115.51, Keep-alives configured on but peer does not support keep-alives (type = None)
Group = 77.61.115.51, IP = 77.61.115.51, PHASE 1 COMPLETED
AAA retrieved default group policy (DfltGrpPolicy) for user = 77.61.115.51
Group = 77.61.115.51, IP = 77.61.115.51, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
IP = 77.61.115.51, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
IP = 77.61.115.51, IKE Initiator: New Phase 1, Intf inside, IKE Peer 77.61.115.51 local Proxy Address 172.18.17.0, remote Proxy Address 192.168.0.0, Crypto map (OutsideMap)
Group = 77.61.115.51, Username = 77.61.115.51, IP = 77.61.115.51, Session disconnected. Session Type: IKE, Duration: 0h:00m:32s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Error
Group = 77.61.115.51, IP = 77.61.115.51, Removing peer from correlator table failed, no match!
Group = 77.61.115.51, IP = 77.61.115.51, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Group = 77.61.115.51, IP = 77.61.115.51, QM FSM error (P2 struct &0xd8e9a790, mess id 0x16ee7a8c)!
Would anyone have any suggestions as to what the cause might be?
Regards
07-17-2008 05:46 AM
Hi,
There are two SA lifetimes: for Phase1 and for Phase2.
Both should match on both ends.
IKE lifetime:
crypto isakmp policy 10
lifetime 86400
IPSEC lifetime:
crypto map VPN 10 set security-association lifetime seconds 28800
Also, you should configure the main mode instead of aggressive:
crypto map VPN 10 set phase1-mode main
Please rate if this helped.
Regards,
Daniel
07-17-2008 02:57 PM
Cheers ill try the changes and see if it helps.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide