cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
655
Views
0
Helpful
0
Replies

VPN IKEv2, Tunnel goes up and down

tsipoulanis
Level 1
Level 1

Hello everyone,

(please help :) )

i have a S2S VPN IKEv2 for Sites.
since many weeks we loose the connection and the Tunnel goes UP and DOWN.
*Nov 24 18:25:36.431: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Nov 24 18:25:58.431: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Nov 24 18:26:06.431: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Nov 24 18:26:28.431: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Nov 24 18:26:30.111: %SEC-6-IPACCESSLOGNP: list 23 denied 0 59.127.117.140 -> 0.0.0.0, 1 packet
*Nov 24 18:26:36.431: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Nov 24 18:26:58.431: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Nov 24 18:27:17.611: %SEC-6-IPACCESSLOGNP: list 23 denied 0 219.159.82.24 -> 0.0.0.0, 1 packet
*Nov 24 18:27:37.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Nov 24 18:27:55.079: %SEC-6-IPACCESSLOGNP: list 23 denied 0 181.20.142.92 -> 0.0.0.0, 1 packet
*Nov 24 18:27:59.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Nov 24 18:28:07.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Nov 24 18:28:29.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Nov 24 18:28:37.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Nov 24 18:28:47.975: %SEC-6-IPACCESSLOGNP: list 23 denied 0 188.3.122.59 -> 0.0.0.0, 1 packet
*Nov 24 18:28:59.687: %SEC-6-IPACCESSLOGNP: list 23 denied 0 216.67.41.218 -> 0.0.0.0, 1 packet
*Nov 24 18:28:59.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Nov 24 18:29:07.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Nov 24 18:29:29.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Nov 24 18:29:37.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Nov 24 18:29:59.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Nov 24 18:30:38.891: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Nov 24 18:30:59.687: %SEC-6-IPACCESSLOGNP: list 23 denied 0 168.126.145.87 -> 0.0.0.0, 1 packet
*Nov 24 18:31:00.891: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Nov 24 18:31:08.891: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Nov 24 18:31:30.891: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Nov 24 18:31:38.891: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Nov 24 18:32:00.891: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Nov 24 18:32:08.891: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Nov 24 18:32:30.891: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down

additionally, i executed the "debug crypto ikev2 packet"
 and i have received the output below

*Nov 24 18:18:33.991: IKEv2-PAK:(SESSION ID = 228,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 1, length: 816
Payload contents:
 ENCR  Next payload: VID, reserved: 0x0, length: 788

*Nov 24 18:18:33.995: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
DCDE_VPNrtr#
*Nov 24 18:18:43.995: IKEv2-PAK:(SESSION ID = 228,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER Message id: 0, length: 96
Payload contents:
 ENCR  Next payload: NONE, reserved: 0x0, length: 68

*Nov 24 18:18:45.995: IKEv2-PAK:(SESSION ID = 228,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER Message id: 0, length: 96
Payload contents:
 ENCR  Next payload: NONE, reserved: 0x0, length: 68

*Nov 24 18:18:47.995: IKEv2-PAK:(SESSION ID = 228,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER Message id: 0, length: 96
Payload contents:
 ENCR  Next payload: NONE, reserved: 0x0, length: 68

*Nov 24 18:18:49.995: IKEv2-PAK:(SESSION ID = 228,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER Message id: 0, length: 96
Payload contents:
 ENCR  Next payload: NONE, reserved: 0x0, length: 68

*Nov 24 18:18:51.995: IKEv2-PAK:(SESSION ID = 228,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER Message id: 0, length: 96
Payload contents:
 ENCR  Next payload: NONE, reserved: 0x0, length: 68

*Nov 24 18:18:53.995: IKEv2-PAK:(SESSION ID = 228,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER Message id: 0, length: 96
Payload contents:
 ENCR  Next payload: NONE, reserved: 0x0, length: 68

*Nov 24 18:18:55.995: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Nov 24 18:19:03.951: IKEv2-PAK:Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: INITIATOR Message id: 0, length: 508
Payload contents:
 SA  Next payload: KE, reserved: 0x0, length: 144
  last proposal: 0x0, reserved: 0x0, length: 140
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 15    last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
    last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
    last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
    last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA512
    last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA384
    last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA256
    last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA1
    last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: MD5
    last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA512
    last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA384
    last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA256
    last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96
    last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: MD596
    last transform: 0x3, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
    last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
 KE  Next payload: N, reserved: 0x0, length: 200
    DH group: 5, Reserved: 0x0
 N  Next payload: VID, reserved: 0x0, length: 36
 VID  Next payload: VID, reserved: 0x0, length: 23
 VID  Next payload: NOTIFY, reserved: 0x0, length: 21
 NOTIFY(NAT_DETECTION_SOURCE_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_SOURCE_IP
 NOTIFY(NAT_DETECTION_DESTINATION_IP)  Next payload: NONE, reserved: 0x0, length: 28
    Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_DESTINATION_IP

*Nov 24 18:19:03.959: IKEv2-PAK:(SESSION ID = 229,SA ID = 1):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE Message id: 0, length: 412
Payload contents:
 SA  Next payload: KE, reserved: 0x0, length: 48
  last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4    last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
    last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA512
    last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA512
    last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
 KE  Next payload: N, reserved: 0x0, length: 200
    DH group: 5, Reserved: 0x0
 N  Next payload: VID, reserved: 0x0, length: 36
 VID  Next payload: VID, reserved: 0x0, length: 23
 VID  Next payload: NOTIFY, reserved: 0x0, length: 21
 NOTIFY(NAT_DETECTION_SOURCE_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_SOURCE_IP
 NOTIFY(NAT_DETECTION_DESTINATION_IP)  Next payload: NONE, reserved: 0x0, length: 28
    Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_DESTINATION_IP

*Nov 24 18:19:03.987: IKEv2-PAK:(SESSION ID = 229,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: INITIATOR Message id: 1, length: 624
Payload contents:
 VID  Next payload: IDi, reserved: 0x0, length: 20
 IDi  Next payload: AUTH, reserved: 0x0, length: 12
    Id type: IPv4 address, Reserved: 0x0 0x0
 AUTH  Next payload: CFG, reserved: 0x0, length: 72
    Auth method PSK, reserved: 0x0, reserved 0x0
 CFG  Next payload: SA, reserved: 0x0, length: 301
    cfg type: CFG_REQUEST, reserved: 0x0, reserved: 0x0

*Nov 24 18:19:03.987:    attrib type: internal IP4 DNS, length: 0

*Nov 24 18:19:03.987:    attrib type: internal IP4 DNS, length: 0

*Nov 24 18:19:03.987:    attrib type: internal IP4 NBNS, length: 0

*Nov 24 18:19:03.987:    attrib type: internal IP4 NBNS, length: 0

*Nov 24 18:19:03.987:    attrib type: internal IP4 subnet, length: 0

*Nov 24 18:19:03.987:    attrib type: internal IP6 DNS, length: 0

*Nov 24 18:19:03.987:    attrib type: internal IP6 subnet, length: 0

*Nov 24 18:19:03.987:    attrib type: application version, length: 241
   attrib type: Unknown - 28675, length: 0

*Nov 24 18:19:03.987:    attrib type: Unknown - 28672, length: 0

*Nov 24 18:19:03.987:    attrib type: Unknown - 28692, length: 0

*Nov 24 18:19:03.987:    attrib type: Unknown - 28681, length: 0

*Nov 24 18:19:03.987:    attrib type: Unknown - 28674, length: 0

*Nov 24 18:19:03.987:  SA  Next payload: TSi, reserved: 0x0, length: 44
  last proposal: 0x0, reserved: 0x0, length: 40
  Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3    last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
    last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96
    last transform: 0x0, reserved: 0x0: length: 8
    type: 5, reserved: 0x0, id: Don't use ESN
 TSi  Next payload: TSr, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 0.0.0.0, end addr: 255.255.255.255
 TSr  Next payload: NOTIFY, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 0.0.0.0, end addr: 255.255.255.255
 NOTIFY(INITIAL_CONTACT)  Next payload: NOTIFY, reserved: 0x0, length: 8
    Security protocol id: Unknown - 0, spi size: 0, type: INITIAL_CONTACT
 NOTIFY(SET_WINDOW_SIZE)  Next payload: NOTIFY, reserved: 0x0, length: 12
    Security protocol id: Unknown - 0, spi size: 0, type: SET_WINDOW_SIZE
 NOTIFY(ESP_TFC_NO_SUPPORT)  Next payload: NOTIFY, reserved: 0x0, length: 8
    Security protocol id: Unknown - 0, spi size: 0, type: ESP_TFC_NO_SUPPORT
 NOTIFY(NON_FIRST_FRAGS)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: Unknown - 0, spi size: 0, type: NON_FIRST_FRAGS

Payload contents:
 VID  Next payload: IDr, reserved: 0x0, length: 20
 IDr  Next payload: AUTH, reserved: 0x0, length: 12
    Id type: IPv4 address, Reserved: 0x0 0x0
 AUTH  Next payload: CFG, reserved: 0x0, length: 72
    Auth method PSK, reserved: 0x0, reserved 0x0
 CFG  Next payload: SA, reserved: 0x0, length: 505
    cfg type: CFG_REPLY, reserved: 0x0, reserved: 0x0

*Nov 24 18:19:03.991:    attrib type: internal IP4 subnet, length: 8
   attrib type: internal IP4 subnet, length: 8
   attrib type: internal IP4 subnet, length: 8
   attrib type: internal IP4 subnet, length: 8
   attrib type: internal IP4 subnet, length: 8
   attrib type: internal IP4 subnet, length: 8
   attrib type: internal IP4 subnet, length: 8
   attrib type: internal IP4 subnet, length: 8
   attrib type: internal IP4 subnet, length: 8
   attrib type: internal IP4 subnet, length: 8
   attrib type: internal IP4 subnet, length: 8
   attrib type: internal IP4 subnet, length: 8
   attrib type: internal IP4 subnet, length: 8
   attrib type: internal IP4 subnet, length: 8
   attrib type: internal IP4 subnet, length: 8
   attrib type: internal IP4 subnet, length: 8
   attrib type: internal IP4 subnet, length: 8
   attrib type: internal IP4 subnet, length: 8
   attrib type: internal IP4 subnet, length: 8
   attrib type: internal IP4 subnet, length: 8
   attrib type: internal IP4 subnet, length: 8
   attrib type: application version, length: 241
 SA  Next payload: TSi, reserved: 0x0, length: 44
  last proposal: 0x0, reserved: 0x0, length: 40
  Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3    last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
    last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96
    last transform: 0x0, reserved: 0x0: length: 8
    type: 5, reserved: 0x0, id: Don't use ESN
 TSi  Next payload: TSr, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 0.0.0.0, end addr: 255.255.255.255
 TSr  Next payload: NOTIFY, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 0.0.0.0, end addr: 255.255.255.255
 NOTIFY(SET_WINDOW_SIZE)  Next payload: NOTIFY, reserved: 0x0, length: 12
    Security protocol id: Unknown - 0, spi size: 0, type: SET_WINDOW_SIZE
 NOTIFY(ESP_TFC_NO_SUPPORT)  Next payload: NOTIFY, reserved: 0x0, length: 8
    Security protocol id: Unknown - 0, spi size: 0, type: ESP_TFC_NO_SUPPORT
 NOTIFY(NON_FIRST_FRAGS)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: Unknown - 0, spi size: 0, type: NON_FIRST_FRAGS

*Nov 24 18:19:03.991: IKEv2-PAK:(SESSION ID = 229,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 1, length: 816
Payload contents:
 ENCR  Next payload: VID, reserved: 0x0, length: 788

*Nov 24 18:19:03.995: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Nov 24 18:19:13.995: IKEv2-PAK:(SESSION ID = 229,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER Message id: 0, length: 96
Payload contents:
 ENCR  Next payload: NONE, reserved: 0x0, length: 68

DCDE_VPNrtr#
*Nov 24 18:19:15.995: IKEv2-PAK:(SESSION ID = 229,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER Message id: 0, length: 96
Payload contents:
 ENCR  Next payload: NONE, reserved: 0x0, length: 68

*Nov 24 18:19:17.995: IKEv2-PAK:(SESSION ID = 229,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER Message id: 0, length: 96
Payload contents:
 ENCR  Next payload: NONE, reserved: 0x0, length: 68

*Nov 24 18:19:19.711: %SEC-6-IPACCESSLOGNP: list 23 denied 0 126.42.18.155 -> 0.0.0.0, 1 packet

0 Replies 0