- Cisco Community
- Technology and Support
- Security
- VPN
- Site-to-site tunnels go down
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Site-to-site tunnels go down
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2013 02:58 PM
Hi everyone!
I have vpn-concentrator on vyatta, 8 cisco 881w and 2 cisco 1941 with vpn site-to-site connected to vyatta. They all are in one ISP's vlan native L2 level.
I user pre-shared key, aes128 and md5 hash.
Traffic goes both sides, everything is okay, i strated cacti monitor of traffic and CPU, started netflow analyzer.
Sometimes one ipsec connection between any of branches go down, it doesn't have any extra CPU load, not more then 20-30%, no huge traffic but somewhy i recieve phone call like "i can't reach server" i check on vyatta - tunnels are down with one router, i do "reset vpn ipsec-peer N" and everything is ok.
I mentioned that when I added "keepalive periodic 10" on ciscos, tunnels started go down more often, for exmaple usually I recieve 1-2 phone calls during a day, whan I added this command, i started to recieve 4-5 phonecalls from branches.
How can I check this? It really drives me crazy beacuse it's always random tunnel down branch, today it was one 1941 and one 881w, yesturday it was 3 881w during all day, I can't figure out what's the problem.
Help me please!!!
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-10-2013 10:08 PM
Today i found one connections down, take debugs from vyatta and cisco:
*Feb 11 06:00:20.589: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 89.104.102.237:500, remote= 89.223.6.92:500,
local_proxy= 192.168.2.0/255.255.255.0/256/0,
remote_proxy= 192.168.10.0/255.255.255.0/256/0,
protocol= ESP, transform= esp-aes esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Feb 11 06:00:20.649: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Urbana#
*Feb 11 06:00:34.889: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 89.104.102.237:0, remote= 89.223.6.92:0,
local_proxy= 192.168.2.0/255.255.255.0/256/0,
remote_proxy= 192.168.240.0/255.255.255.0/256/0
*Feb 11 06:00:34.889: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 89.104.102.237:500, remote= 89.223.6.92:500,
local_proxy= 192.168.2.0/255.255.255.0/256/0,
remote_proxy= 192.168.240.0/255.255.255.0/256/0,
protocol= ESP, transform= esp-aes esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Urbana#
*Feb 11 06:00:34.953: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Urbana#
*Feb 11 06:00:50.589: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 89.104.102.237:0, remote= 89.223.6.92:0,
local_proxy= 192.168.2.0/255.255.255.0/256/0,
remote_proxy= 192.168.10.0/255.255.255.0/256/0
*Feb 11 06:00:50.589: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 89.104.102.237:500, remote= 89.223.6.92:500,
local_proxy= 192.168.2.0/255.255.255.0/256/0,
remote_proxy= 192.168.10.0/255.255.255.0/256/0,
protocol= ESP, transform= esp-aes esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Urbana#
*Feb 11 06:00:50.645: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Urbana#
*Feb 11 06:00:59.313: %CRYPTO-4-IKMP_NO_SA: IKE message from 89.223.6.92 has no SA and is not an initialization offer
Urbana#
*Feb 11 06:01:04.889: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 89.104.102.237:0, remote= 89.223.6.92:0,
local_proxy= 192.168.2.0/255.255.255.0/256/0,
remote_proxy= 192.168.240.0/255.255.255.0/256/0
*Feb 11 06:01:04.889: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 89.104.102.237:500, remote= 89.223.6.92:500,
local_proxy= 192.168.2.0/255.255.255.0/256/0,
remote_proxy= 192.168.240.0/255.255.255.0/256/0,
protocol= ESP, transform= esp-aes esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Urbana#
*Feb 11 06:01:04.957: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Urbana#
*Feb 11 06:01:20.589: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 89.104.102.237:0, remote= 89.223.6.92:0,
local_proxy= 192.168.2.0/255.255.255.0/256/0,
remote_proxy= 192.168.10.0/255.255.255.0/256/0
Urbana#terminal no monitor
Vyatta:
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15646: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15646: starting keying attempt 182 of an unlimited number
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15662: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #15646 {using isakmp#14392}
VPN-IPSEC: packet from 89.104.102.237:500: received Vendor ID payload [RFC 3947]
VPN-IPSEC: packet from 89.104.102.237:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
VPN-IPSEC: packet from 89.104.102.237:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
VPN-IPSEC: packet from 89.104.102.237:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15663: responding to Main Mode
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15663: received Vendor ID payload [Dead Peer Detection]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15663: ignoring Vendor ID payload [5ded2664d3865ee16a065e1125ff4cec]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15663: received Vendor ID payload [XAUTH]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15663: NAT-Traversal: Result using RFC 3947: no NAT detected
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15663: ignoring informational payload, type IPSEC_INITIAL_CONTACT
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15663: Peer ID is ID_IPV4_ADDR: '89.104.102.237'
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15663: sent MR3, ISAKMP SA established
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15663: cannot respond to IPsec SA request because no connection is known for 192.168.10.0/24===89.223.6.92[89.223.6.92]...89.104.102.237[89.104.102.237]===192.168.2.0/24
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15663: sending encrypted notification INVALID_ID_INFORMATION to 89.104.102.237:500
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15663: received Delete SA payload: deleting ISAKMP State #15663
VPN-IPSEC: packet from 89.104.102.237:500: received Vendor ID payload [RFC 3947]
VPN-IPSEC: packet from 89.104.102.237:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
VPN-IPSEC: packet from 89.104.102.237:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
VPN-IPSEC: packet from 89.104.102.237:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15664: responding to Main Mode
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15664: received Vendor ID payload [Dead Peer Detection]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15664: ignoring Vendor ID payload [5ded2664b9b6e363945885b47bb439a6]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15664: received Vendor ID payload [XAUTH]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15664: NAT-Traversal: Result using RFC 3947: no NAT detected
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15664: ignoring informational payload, type IPSEC_INITIAL_CONTACT
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15664: Peer ID is ID_IPV4_ADDR: '89.104.102.237'
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15664: sent MR3, ISAKMP SA established
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15665: we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15665: sending encrypted notification NO_PROPOSAL_CHOSEN to 89.104.102.237:500
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15664: received Delete SA payload: deleting ISAKMP State #15664
VPN-IPSEC: "peer-89.104.102.237-tunnel-2" #15651: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
VPN-IPSEC: "peer-89.104.102.237-tunnel-2" #15651: starting keying attempt 183 of an unlimited number
VPN-IPSEC: "peer-89.104.102.237-tunnel-2" #15667: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #15651 {using isakmp#14392}
VPN-IPSEC: packet from 89.104.102.237:500: received Vendor ID payload [RFC 3947]
VPN-IPSEC: packet from 89.104.102.237:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
VPN-IPSEC: packet from 89.104.102.237:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
VPN-IPSEC: packet from 89.104.102.237:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15669: responding to Main Mode
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15669: received Vendor ID payload [Dead Peer Detection]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15669: ignoring Vendor ID payload [5ded2664e6c0cdb0cdff98e262a9f540]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15669: received Vendor ID payload [XAUTH]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15669: NAT-Traversal: Result using RFC 3947: no NAT detected
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15669: ignoring informational payload, type IPSEC_INITIAL_CONTACT
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15669: Peer ID is ID_IPV4_ADDR: '89.104.102.237'
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15669: sent MR3, ISAKMP SA established
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15669: cannot respond to IPsec SA request because no connection is known for 192.168.10.0/24===89.223.6.92[89.223.6.92]...89.104.102.237[89.104.102.237]===192.168.2.0/24
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15669: sending encrypted notification INVALID_ID_INFORMATION to 89.104.102.237:500
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15669: received Delete SA payload: deleting ISAKMP State #15669
VPN-IPSEC: "peer-89.104.102.237-tunnel-1" #15654: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
VPN-IPSEC: "peer-89.104.102.237-tunnel-1" #15654: starting keying attempt 78 of an unlimited number
VPN-IPSEC: "peer-89.104.102.237-tunnel-1" #15670: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #15654 {using isakmp#14392}
VPN-IPSEC: packet from 89.104.102.237:500: received Vendor ID payload [RFC 3947]
VPN-IPSEC: packet from 89.104.102.237:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
VPN-IPSEC: packet from 89.104.102.237:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
VPN-IPSEC: packet from 89.104.102.237:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15671: responding to Main Mode
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15671: received Vendor ID payload [Dead Peer Detection]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15671: ignoring Vendor ID payload [5ded2664a8b1d9fa9a7cb3b0d2594b10]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15671: received Vendor ID payload [XAUTH]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15671: NAT-Traversal: Result using RFC 3947: no NAT detected
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15671: ignoring informational payload, type IPSEC_INITIAL_CONTACT
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15671: Peer ID is ID_IPV4_ADDR: '89.104.102.237'
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15671: sent MR3, ISAKMP SA established
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15672: we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15672: sending encrypted notification NO_PROPOSAL_CHOSEN to 89.104.102.237:500
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15671: received Delete SA payload: deleting ISAKMP State #15671
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15662: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15662: starting keying attempt 183 of an unlimited number
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15674: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #15662 {using isakmp#14392}
VPN-IPSEC: packet from 89.104.102.237:500: received Vendor ID payload [RFC 3947]
VPN-IPSEC: packet from 89.104.102.237:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
VPN-IPSEC: packet from 89.104.102.237:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
VPN-IPSEC: packet from 89.104.102.237:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15675: responding to Main Mode
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15675: received Vendor ID payload [Dead Peer Detection]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15675: ignoring Vendor ID payload [5ded266488199a84d7b10ce8c54943e6]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15675: received Vendor ID payload [XAUTH]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15675: NAT-Traversal: Result using RFC 3947: no NAT detected
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15675: ignoring informational payload, type IPSEC_INITIAL_CONTACT
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15675: Peer ID is ID_IPV4_ADDR: '89.104.102.237'
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15675: sent MR3, ISAKMP SA established
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15676: we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15676: sending encrypted notification NO_PROPOSAL_CHOSEN to 89.104.102.237:500
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15675: received Delete SA payload: deleting ISAKMP State #15675
VPN-IPSEC: packet from 89.104.102.237:500: received Vendor ID payload [RFC 3947]
VPN-IPSEC: packet from 89.104.102.237:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
VPN-IPSEC: packet from 89.104.102.237:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
VPN-IPSEC: packet from 89.104.102.237:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15678: responding to Main Mode
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15678: received Vendor ID payload [Dead Peer Detection]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15678: ignoring Vendor ID payload [5ded26640741d90ad0826d199f025842]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15678: received Vendor ID payload [XAUTH]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15678: NAT-Traversal: Result using RFC 3947: no NAT detected
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15678: ignoring informational payload, type IPSEC_INITIAL_CONTACT
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15678: Peer ID is ID_IPV4_ADDR: '89.104.102.237'
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15678: sent MR3, ISAKMP SA established
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15678: cannot respond to IPsec SA request because no connection is known for 192.168.10.0/24===89.223.6.92[89.223.6.92]...89.104.102.237[89.104.102.237]===192.168.2.0/24
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15678: sending encrypted notification INVALID_ID_INFORMATION to 89.104.102.237:500
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15678: received Delete SA payload: deleting ISAKMP State #15678
VPN-IPSEC: "peer-89.104.102.237-tunnel-2" #15667: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
VPN-IPSEC: "peer-89.104.102.237-tunnel-2" #15667: starting keying attempt 184 of an unlimited number
VPN-IPSEC: "peer-89.104.102.237-tunnel-2" #15680: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #15667 {using isakmp#14392}
VPN-IPSEC: packet from 89.104.102.237:500: received Vendor ID payload [RFC 3947]
VPN-IPSEC: packet from 89.104.102.237:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
VPN-IPSEC: packet from 89.104.102.237:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
VPN-IPSEC: packet from 89.104.102.237:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15682: responding to Main Mode
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15682: received Vendor ID payload [Dead Peer Detection]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15682: ignoring Vendor ID payload [5ded2664ccd37d1ba0b055793ff59010]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15682: received Vendor ID payload [XAUTH]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15682: NAT-Traversal: Result using RFC 3947: no NAT detected
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15682: ignoring informational payload, type IPSEC_INITIAL_CONTACT
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15682: Peer ID is ID_IPV4_ADDR: '89.104.102.237'
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15682: sent MR3, ISAKMP SA established
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15683: we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15683: sending encrypted notification NO_PROPOSAL_CHOSEN to 89.104.102.237:500
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15682: received Delete SA payload: deleting ISAKMP State #15682
VPN-IPSEC: "peer-89.104.102.237-tunnel-1" #15670: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
VPN-IPSEC: "peer-89.104.102.237-tunnel-1" #15670: starting keying attempt 79 of an unlimited number
VPN-IPSEC: "peer-89.104.102.237-tunnel-1" #15684: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #15670 {using isakmp#14392}
VPN-IPSEC: packet from 89.104.102.237:500: received Vendor ID payload [RFC 3947]
VPN-IPSEC: packet from 89.104.102.237:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
VPN-IPSEC: packet from 89.104.102.237:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
VPN-IPSEC: packet from 89.104.102.237:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15685: responding to Main Mode
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15685: received Vendor ID payload [Dead Peer Detection]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15685: ignoring Vendor ID payload [5ded2664010501278b1fe21935064d55]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15685: received Vendor ID payload [XAUTH]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15685: NAT-Traversal: Result using RFC 3947: no NAT detected
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15685: ignoring informational payload, type IPSEC_INITIAL_CONTACT
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15685: Peer ID is ID_IPV4_ADDR: '89.104.102.237'
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15685: sent MR3, ISAKMP SA established
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15685: cannot respond to IPsec SA request because no connection is known for 192.168.10.0/24===89.223.6.92[89.223.6.92]...89.104.102.237[89.104.102.237]===192.168.2.0/24
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15685: sending encrypted notification INVALID_ID_INFORMATION to 89.104.102.237:500
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15685: received Delete SA payload: deleting ISAKMP State #15685
VPN-IPSEC: packet from 89.104.102.237:500: received Vendor ID payload [RFC 3947]
VPN-IPSEC: packet from 89.104.102.237:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
VPN-IPSEC: packet from 89.104.102.237:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
VPN-IPSEC: packet from 89.104.102.237:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15687: responding to Main Mode
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15687: received Vendor ID payload [Dead Peer Detection]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15687: ignoring Vendor ID payload [5ded2664a50786b32fa8014be9b7f6bb]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15687: received Vendor ID payload [XAUTH]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15687: NAT-Traversal: Result using RFC 3947: no NAT detected
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15687: ignoring informational payload, type IPSEC_INITIAL_CONTACT
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15687: Peer ID is ID_IPV4_ADDR: '89.104.102.237'
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15687: sent MR3, ISAKMP SA established
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15688: we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15688: sending encrypted notification NO_PROPOSAL_CHOSEN to 89.104.102.237:500
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15687: received Delete SA payload: deleting ISAKMP State #15687
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15674: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15674: starting keying attempt 184 of an unlimited number
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15689: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #15674 {using isakmp#14392}
VPN-IPSEC: packet from 89.104.102.237:500: received Vendor ID payload [RFC 3947]
VPN-IPSEC: packet from 89.104.102.237:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
VPN-IPSEC: packet from 89.104.102.237:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
VPN-IPSEC: packet from 89.104.102.237:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15691: responding to Main Mode
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15691: received Vendor ID payload [Dead Peer Detection]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15691: ignoring Vendor ID payload [5ded2664dec611938388142ae89a2645]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15691: received Vendor ID payload [XAUTH]
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15691: NAT-Traversal: Result using RFC 3947: no NAT detected
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15691: ignoring informational payload, type IPSEC_INITIAL_CONTACT
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15691: Peer ID is ID_IPV4_ADDR: '89.104.102.237'
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15691: sent MR3, ISAKMP SA established
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15692: we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15692: sending encrypted notification NO_PROPOSAL_CHOSEN to 89.104.102.237:500
VPN-IPSEC: "peer-89.104.102.237-tunnel-3" #15691: received Delete SA payload: deleting ISAKMP State #15691
VPN-IPSEC: "peer-89.104.102.237-tunnel-2" #15680: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
VPN-IPSEC: "peer-89.104.102.237-tunnel-2" #15680: starting keying attempt 185 of an unlimited number
VPN-IPSEC: "peer-89.104.102.237-tunnel-2" #15693: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #15680 {using isakmp#14392}
VPN-IPSEC: packet from 89.104.102.237:500: received Vendor ID payload [RFC 3947]
VPN-IPSEC: packet from 89.104.102.237:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
In "show vpn ike sa" on vyatta there is no host 89.104.102.237 at all!!!
Where is the problem?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-14-2023 01:13 AM
Hi,
It is a really long shot after 10 years, but have you figured it out at the end?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-16-2023 09:39 AM
Can you make new post
Thanks
MHM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-18-2023 01:33 AM
Hi,
Seems like I fixed it. I will add here my solution, just in case someone else is also struggling with this.
I am not 100% sure which change solved it as I did two.
1) Setting pfs group for crypto map
The most likely one is this.
In the vyatta log it says
"we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION" which does not make much sense as the Diffie Hellman Group is set on the isakmp policy:
crypto isakmp policy 1
group 2Anyway I've set the group on the crypto map too:
crypto map MyVPNMap 1 ipsec-isakmp
set pfs group2I have chosen group2 as vyatta only supports a few and this one seemed like the best of those.
2) Setting timeout on crypto isakmp policy
This one is less likely to do anything.
I just noticed vyatta does not care about the life time sent and it just discards the setting. To make it in sync with the cisco router I set it to the vyatta default.
But for me it was dropping the connection every 10 minutes or sometimes a bit more, but still less then 8 hours, so this should not be the real issue (I think).
crypto isakmp policy 1
lifetime 28800
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide