Issue with VPN stable

oleg.serebryakov · ‎11-08-2012

Dear colleagues,

Site-to-site tunnel between 881 router and ASA 5510 don't work stable

When PHASE 2 completed and Ipsec Tunnel has been builded, 881 resend some entities which will increment error counters

Like this:

Nov 7 14:21:49: ISAKMP:(2038): retransmitting phase 2 QM_IDLE 1634177734 ...
Nov 7 14:21:49: ISAKMP (2038): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
Nov 7 14:21:49: ISAKMP (2038): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2

ASA interpret it as:

Nov 7 14:21:49 MCK1-F5510 : %ASA-5-713904: Group = a.b.c.d, IP = a.b.c.d, All IPSec SA proposals found unacceptable!

Nov 7 14:21:49 MCK1-F5510 : %ASA-3-713902: Group = a.b.c.d, IP = a.b.c.d, QM FSM error (P2 struct &0xaef666b8, mess id 0x616792c6)!

Nov 7 14:21:49 MCK1-F5510 : %ASA-3-713902: Group = a.b.c.d, IP = a.b.c.d, Removing peer from correlator table failed, no match!

Situation repeat continually with cycle time within range 1 sec - 5 min.

This kind of behavior didn't repeat on other tunnels which configuration files cloned from single template by local addresses and logical names replacement on both (881 and ASA) sides.

I coud provide full configurations, logs and debug records on demand.

oleg.serebryakov · ‎11-09-2012

Debug searching bring some result.

Root cause - strange tunnel which try to establish.

It's look like this:

"Nov 9 17:40:58: SA has outstanding requests (local 136.144.2.56 port 500, remote 136.144.2.28 port 500)"

Some entities relating to this subject are produce above-mentioned retransmitting

Neither of 136.x.x.x address wasn't configured on 881.

Input ACL deny any public address for isakmp, exept needed.