Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
497
Views
0
Helpful
3
Replies

VPN Concentrator disconnected every 7:36:32

hfma_hk09
Level 1
Level 1

‎06-18-2009 05:51 PM

Hi experts, I found my L2L setting which configuration between VPN concentrator and Pix will disconnect every 7:36:32, I have searched on Internet and find some users already have the same problem but don't have an possible answer, do any expert know what is the reason for this?

Concentrator log:

1301 06/17/2009 22:55:57.570 SEV=4 IKE/41 RPT=609 <peer ip address>

Group [<peer ip address>]

IKE Initiator: Rekeying Phase 2, Intf 2, IKE Peer <peer ip address>

local Proxy Address x.x.x.x, remote Proxy Address x.x.x.x,

SA (L2L: L2L_TEST)

1327 06/17/2009 22:56:29.570 SEV=4 IKEDBG/97 RPT=59 <peer ip address>

Group [<peer ip address>]

QM FSM error (P2 struct &0x1dc856a4, mess id 0x11ca1925)!

1328 06/17/2009 22:56:29.570 SEV=4 AUTH/23 RPT=42 <peer ip address>

User [<peer ip address>] Group [<peer ip address>] disconnected: duration: 7:36:32

1329 06/17/2009 22:56:29.570 SEV=4 AUTH/85 RPT=42

LAN-to-LAN tunnel to headend device <peer ip address> disconnected: duration: 7:36:32

- Is the problem related to Phase 2 rekeying? I have already set the Phase 2 key lifetime to 28800(8 hours), if it is related to Phase 2 rekey, why it disconnected every 7:36:32, not 8 hours?

- Also, is it related to the phase 2 proposal not match between the two device?

Please help...

Labels:
0 Helpful
3 Replies 3

auraza
Cisco Employee
Cisco Employee

‎06-19-2009 06:08 AM

It could be P2 rekey. Make sure PFS is either disabled or enabled on both devices.

0 Helpful

hfma_hk09
Level 1
Level 1
In response to auraza

‎06-19-2009 09:15 AM

Hi Auraza, I've checked both devices and found PFS is disabled for them. Any other possible reason? Is it related to Phase 2 SA proposal problem?

0 Helpful

auraza
Cisco Employee
Cisco Employee
In response to hfma_hk09

‎06-19-2009 09:22 AM

Not sure if it is related to SA proposal or what, but if you did initially connect, then it doesn't sound like a Phase 2 problem, but we'll have to see debugs to see what is going on.

General -> Events -> Classes:

enable IKE, IKEDBG, IPSEC, IPSECDBG to log for sev 1-9.

Once this happens again, copy the logs and post them here, with the time that it happened. That should give a better idea.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents