08-27-2002 07:09 AM - edited 02-21-2020 12:01 PM
We have a problem were we seem to lose the SA between our PIX 501 and a VPN 3000 Concentrator. It seems that the PIX keeps the tunnel up but the Concentrator drops it. I provide you with info from both a pix and concentrator so you can see the differens.
Pix 501
=======
PIX501-ESKILSTUN# sh cry ips sa
interface: outside
Crypto map tag: bokiasec, local addr. 213.88.189.90
local ident (addr/mask/prot/port): (172.17.20.0/255.255.255.224/0/0)
remote ident (addr/mask/prot/port): (192.168.71.0/255.255.255.0/0/0)
current_peer: 62.95.18.163
PERMIT, flags={origin_is_acl,}
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest 0
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 213.88.189.90, remote crypto endpt.: 62.95.18.163
path mtu 1500, ipsec overhead 44, media mtu 1500
current outbound spi: 7069f5f1
inbound esp sas:
spi: 0x4071afba(1081192378)
transform: esp-3des ,
in use settings ={Tunnel, }
slot: 0, conn id: 17, crypto map: bokiasec
sa timing: remaining key lifetime (k/sec): (4607999/28104)
IV size: 8 bytes
replay detection support: N
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x7069f5f1(1885992433)
transform: esp-3des ,
in use settings ={Tunnel, }
slot: 0, conn id: 18, crypto map: bokiasec
sa timing: remaining key lifetime (k/sec): (4607999/28104)
IV size: 8 bytes
replay detection support: N
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (172.17.20.0/255.255.255.224/0/0)
remote ident (addr/mask/prot/port): (192.168.72.0/255.255.255.0/0/0)
current_peer: 62.95.18.163
PERMIT, flags={origin_is_acl,}
#pkts encaps: 92384, #pkts encrypt: 92384, #pkts digest 0
#pkts decaps: 81634, #pkts decrypt: 81634, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 213.88.189.90, remote crypto endpt.: 62.95.18.163
path mtu 1500, ipsec overhead 44, media mtu 1500
current outbound spi: 1e3aa6b9
inbound esp sas:
spi: 0xd98ee147(3650019655)
transform: esp-3des ,
in use settings ={Tunnel, }
slot: 0, conn id: 9, crypto map: bokiasec
sa timing: remaining key lifetime (k/sec): (4606662/25310)
IV size: 8 bytes
replay detection support: N
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x1e3aa6b9(507160249)
transform: esp-3des ,
in use settings ={Tunnel, }
slot: 0, conn id: 10, crypto map: bokiasec
sa timing: remaining key lifetime (k/sec): (4607589/25307)
IV size: 8 bytes
replay detection support: N
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (172.17.20.0/255.255.255.224/0/0)
remote ident (addr/mask/prot/port): (194.132.84.64/255.255.255.192/0/0)
current_peer: 62.95.18.163
PERMIT, flags={origin_is_acl,}
#pkts encaps: 571, #pkts encrypt: 571, #pkts digest 0
#pkts decaps: 556, #pkts decrypt: 556, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 213.88.189.90, remote crypto endpt.: 62.95.18.163
path mtu 1500, ipsec overhead 44, media mtu 1500
current outbound spi: 388136ef
inbound esp sas:
spi: 0xa4cee4e9(2765022441)
transform: esp-3des ,
in use settings ={Tunnel, }
slot: 0, conn id: 6, crypto map: bokiasec
sa timing: remaining key lifetime (k/sec): (4607999/24919)
IV size: 8 bytes
replay detection support: N
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x388136ef(947992303)
transform: esp-3des ,
in use settings ={Tunnel, }
slot: 0, conn id: 5, crypto map: bokiasec
sa timing: remaining key lifetime (k/sec): (4607999/24910)
IV size: 8 bytes
replay detection support: N
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (172.17.20.32/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (192.168.71.0/255.255.255.0/0/0)
current_peer: 62.95.18.163
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1, #pkts encrypt: 1, #pkts digest 0
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 213.88.189.90, remote crypto endpt.: 62.95.18.163
path mtu 1500, ipsec overhead 44, media mtu 1500
current outbound spi: f7282a4
inbound esp sas:
spi: 0x146cb06d(342667373)
transform: esp-3des ,
in use settings ={Tunnel, }
slot: 0, conn id: 15, crypto map: bokiasec
sa timing: remaining key lifetime (k/sec): (4607999/28315)
IV size: 8 bytes
replay detection support: N
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xf7282a4(259162788)
transform: esp-3des ,
in use settings ={Tunnel, }
slot: 0, conn id: 16, crypto map: bokiasec
sa timing: remaining key lifetime (k/sec): (4607999/28315)
IV size: 8 bytes
replay detection support: N
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (172.17.20.32/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (192.168.72.0/255.255.255.0/0/0)
current_peer: 62.95.18.163
PERMIT, flags={origin_is_acl,}
#pkts encaps: 68716, #pkts encrypt: 68716, #pkts digest 0
#pkts decaps: 61223, #pkts decrypt: 61223, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 213.88.189.90, remote crypto endpt.: 62.95.18.163
path mtu 1500, ipsec overhead 44, media mtu 1500
current outbound spi: 3662bd6e
inbound esp sas:
spi: 0xf3ec2075(4092338293)
transform: esp-3des ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: bokiasec
sa timing: remaining key lifetime (k/sec): (4607904/24259)
IV size: 8 bytes
replay detection support: N
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3662bd6e(912440686)
transform: esp-3des ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: bokiasec
sa timing: remaining key lifetime (k/sec): (4607954/24256)
IV size: 8 bytes
replay detection support: N
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (172.17.20.32/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (194.132.84.64/255.255.255.192/0/0)
current_peer: 62.95.18.163
PERMIT, flags={origin_is_acl,}
#pkts encaps: 508, #pkts encrypt: 508, #pkts digest 0
#pkts decaps: 492, #pkts decrypt: 492, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 213.88.189.90, remote crypto endpt.: 62.95.18.163
path mtu 1500, ipsec overhead 44, media mtu 1500
current outbound spi: 329790e
inbound esp sas:
spi: 0xd6d85385(3604501381)
transform: esp-3des ,
in use settings ={Tunnel, }
slot: 0, conn id: 13, crypto map: bokiasec
sa timing: remaining key lifetime (k/sec): (4607999/25086)
IV size: 8 bytes
replay detection support: N
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x329790e(53049614)
transform: esp-3des ,
in use settings ={Tunnel, }
slot: 0, conn id: 14, crypto map: bokiasec
sa timing: remaining key lifetime (k/sec): (4607999/25086)
IV size: 8 bytes
replay detection support: N
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (172.17.20.48/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (192.168.71.0/255.255.255.0/0/0)
current_peer: 62.95.18.163
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 213.88.189.90, remote crypto endpt.: 62.95.18.163
path mtu 1500, ipsec overhead 44, media mtu 1500
current outbound spi: 19d8ef2
inbound esp sas:
spi: 0x21b53b0c(565525260)
transform: esp-3des ,
in use settings ={Tunnel, }
slot: 0, conn id: 20, crypto map: bokiasec
sa timing: remaining key lifetime (k/sec): (4607998/28568)
IV size: 8 bytes
replay detection support: N
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x19d8ef2(27102962)
transform: esp-3des ,
in use settings ={Tunnel, }
slot: 0, conn id: 19, crypto map: bokiasec
sa timing: remaining key lifetime (k/sec): (4608000/28568)
IV size: 8 bytes
replay detection support: N
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (172.17.20.32/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (62.95.31.224/255.255.255.224/0/0)
current_peer: 62.95.18.163
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1941, #pkts encrypt: 1941, #pkts digest 0
#pkts decaps: 1817, #pkts decrypt: 1817, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 213.88.189.90, remote crypto endpt.: 62.95.18.163
path mtu 1500, ipsec overhead 44, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (172.17.20.48/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (192.168.72.0/255.255.255.0/0/0)
current_peer: 62.95.18.163
PERMIT, flags={origin_is_acl,}
#pkts encaps: 47942, #pkts encrypt: 47942, #pkts digest 0
#pkts decaps: 46781, #pkts decrypt: 46781, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 5, #recv errors 0
local crypto endpt.: 213.88.189.90, remote crypto endpt.: 62.95.18.163
path mtu 1500, ipsec overhead 44, media mtu 1500
current outbound spi: 3534ac6c
inbound esp sas:
spi: 0xef3fbcb4(4013931700)
transform: esp-3des ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: bokiasec
sa timing: remaining key lifetime (k/sec): (4607828/23729)
IV size: 8 bytes
replay detection support: N
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3534ac6c(892644460)
transform: esp-3des ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: bokiasec
sa timing: remaining key lifetime (k/sec): (4607962/23729)
IV size: 8 bytes
replay detection support: N
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (172.17.20.48/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (194.132.84.64/255.255.255.192/0/0)
current_peer: 62.95.18.163
PERMIT, flags={origin_is_acl,}
#pkts encaps: 407, #pkts encrypt: 407, #pkts digest 0
#pkts decaps: 382, #pkts decrypt: 382, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 213.88.189.90, remote crypto endpt.: 62.95.18.163
path mtu 1500, ipsec overhead 44, media mtu 1500
current outbound spi: 5071a644
inbound esp sas:
spi: 0x89c958e3(2311674083)
transform: esp-3des ,
in use settings ={Tunnel, }
slot: 0, conn id: 11, crypto map: bokiasec
sa timing: remaining key lifetime (k/sec): (4607999/26404)
IV size: 8 bytes
replay detection support: N
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x5071a644(1349625412)
transform: esp-3des ,
in use settings ={Tunnel, }
slot: 0, conn id: 12, crypto map: bokiasec
sa timing: remaining key lifetime (k/sec): (4607999/26404)
IV size: 8 bytes
replay detection support: N
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (172.17.20.48/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (62.95.31.224/255.255.255.224/0/0)
current_peer: 62.95.18.163
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 213.88.189.90, remote crypto endpt.: 62.95.18.163
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (172.17.20.0/255.255.255.224/0/0)
remote ident (addr/mask/prot/port): (62.95.31.224/255.255.255.224/0/0)
current_peer: 62.95.18.163
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2835, #pkts encrypt: 2835, #pkts digest 0
#pkts decaps: 2758, #pkts decrypt: 2758, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 213.88.189.90, remote crypto endpt.: 62.95.18.163
path mtu 1500, ipsec overhead 44, media mtu 1500
current outbound spi: 19c87eee
inbound esp sas:
spi: 0x6ac0010f(1790968079)
transform: esp-3des ,
in use settings ={Tunnel, }
slot: 0, conn id: 7, crypto map: bokiasec
sa timing: remaining key lifetime (k/sec): (4607956/25741)
IV size: 8 bytes
replay detection support: N
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x19c87eee(432570094)
transform: esp-3des ,
in use settings ={Tunnel, }
slot: 0, conn id: 8, crypto map: bokiasec
sa timing: remaining key lifetime (k/sec): (4607970/25741)
IV size: 8 bytes
replay detection support: N
outbound ah sas:
outbound pcp sas:
VPN 3000
========
Connection Name IP Address Protocol Encryption Login Time Duration Bytes Tx Bytes Rx
Eskilstuna - H Sandbergs 213.88.189.90 IPSec/LAN-to-LAN 3DES-168 Aug 19 14:25:57 0:13:17 1680 560
IKE Sessions: 1
IPSec Sessions: 3
IKE Session
Session ID 1 Encryption Algorithm 3DES-168
Hashing Algorithm MD5 Diffie-Hellman Group Group 2 (1024-bit)
Authentication Mode Pre-Shared Keys IKE Negotiation Mode Main
Rekey Time Interval 600 seconds
IPSec Session
Session ID 2 Remote Address 172.17.20.32/0.0.0.15
Local Address 192.168.71.0/0.0.0.255 Encryption Algorithm 3DES-168
Hashing Algorithm None Encapsulation Mode Tunnel
Rekey Time Interval 28800 seconds
Bytes Received 280 Bytes Transmitted 280
IPSec Session
Session ID 3 Remote Address 172.17.20.0/0.0.0.31
Local Address 192.168.71.0/0.0.0.255 Encryption Algorithm 3DES-168
Hashing Algorithm None Encapsulation Mode Tunnel
Rekey Time Interval 28800 seconds
Bytes Received 280 Bytes Transmitted 280
IPSec Session
Session ID 4 Remote Address 172.17.20.48/0.0.0.15
Local Address 192.168.71.0/0.0.0.255 Encryption Algorithm 3DES-168
Hashing Algorithm None Encapsulation Mode Tunnel
Rekey Time Interval 28800 seconds
Bytes Received 0 Bytes Transmitted 1120
08-27-2002 12:19 PM
Hi ROBERT MARAS,
At my company we have serveral 501 PIXs connecting to our Cisco Concentrator. I have a couple questions for you. What is the version running on PIX? Also are you doing LAN-to-LAN in the concentrator? If you could send me the PIX config. I think I may be able to help.
09-02-2002 01:07 AM
Hello,
The version is provided below and yes, we are doing LAN-to-LAN. Here comes the config:
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname PIX501-HALMSTAD
domain-name nisse.se
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
no fixup protocol skinny 2000
names
pager lines 24
logging on
logging timestamp
logging buffered debugging
logging trap debugging
logging history debugging
logging queue 4096
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.248
ip address inside 172.17.56.1 255.255.255.192
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
no sysopt route dnat
crypto ipsec transform-set halmstadipsec esp-3des
crypto map nissesec 10 ipsec-isakmp
crypto map nissesec 10 match address 101
crypto map nissesec 10 set peer x.x.x.x
crypto map nissesec 10 set transform-set halmstadipsec
crypto map nissesec interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 600
telnet timeout 5
ssh timeout 5
terminal width 80
10-13-2002 09:20 PM
Robert, there's a bug with VPN3000-PIX-501 (EZ VPN connection) where the IKE/Phase 1 rekeying kills the tunnel (data will reconnect it again). Not sure if LAN-LAN has the same issue or if this is your case specifically.
I see you IKE rekey is 10 minutes and IPSec rekey=24hrs.When /how often is your tunnel coming down? In general, IPSec should have a lower rekey interval than IKE...You want to to rekey the data more often ,that is.
Can you post the VPN 3000 Log for at least 2 tunel failures?
Thanks.
Nelson
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide