07-30-2008 12:04 PM
We have a VPN tunnel b/w a CheckPoint and a Cisco ASA. The tunnel is up and working, but almost every day around noon I get the following messages and the tunnel breaks and reforms successfully. Phase 1 is set on both sides at 1440min/86400 seconds; phase 2 is set on both sides to 3600. It sounds like the tunnel is just terminating at the end of the phase 1 lifetime, but people are using the tunnel and report that their sessions break, so I'm confused. Any ideas/help would be appreciated. Thank you.
713041 IP=1.1.1.1, IKE Initiator: Rekeying Phase 1,Intf Internet, IKE Peer 1.1.1.1, local Proxy Address N/A, remote Proxy Address N/A, Crypto map N/A
713903 Group=1.1.1.1, IP=1.1.1.1, Freeing previously allocated memory for authorization-dn-attributes
713119 Group=1.1.1.1, IP=1.1.1.1, PHASE 1 COMPLETED
713122 IP=1.1.1.1, Keep-alives configured on but peer does not support keep-alives (type=None)
713201 Group=1.1.1.1, IP=1.1.1.1, Duplicate phase 1 packet detected. No last packet to retransmit.
713201 Group=1.1.1.1, IP=1.1.1.1, Duplicate phase 1 packet detected. No last packet to retransmit.
ASA Version 7.2(4)
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Internet_map 1 match address Internet_1_cryptomap
crypto map Internet_map 1 set peer 1.1.1.1
crypto map Internet_map 1 set transform-set ESP-3DES-SHA
crypto map Internet_map 1 set security-association lifetime seconds 3600
crypto map Internet_map interface Internet
crypto isakmp enable Internet
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp am-disable
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key xyz
# sh crypto isakmp sa detail
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.1.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : 3des Hash : SHA
Auth : preshared Lifetime: 86400
Lifetime Remaining: 71300
# sh crypto ipsec sa
interface: Internet
Crypto map tag: Internet_map, seq num: 1, local addr: 22.22.22.22
access-list Internet_1_cryptomap permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 121046, #pkts encrypt: 121046, #pkts digest: 121046
#pkts decaps: 134396, #pkts decrypt: 134396, #pkts verify: 134396
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 121046, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 22.22.22.22, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 38003399
inbound esp sas:
spi: 0x802A637 (215026177)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 3, crypto-map: Internet_map
sa timing: remaining key lifetime (kB/sec): (4270520/2113)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x380033 (939538880)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 3, crypto-map: Internet_map
sa timing: remaining key lifetime (kB/sec): (4273260/2112)
IV size: 8 bytes
replay detection support: Y
02-19-2009 11:04 AM
Were you able to find a solution? I have the same problem between windows 2003 and an ASA. I have noticed that it drops at 75% of the phase1 time. If I set it to 8hrs; it breaks at 6hrs, I set it to 4hrs; it breaks at 3hrs, I set it to 20 minutes and it breaks at 15 minutes. Like clock work.
02-19-2009 11:15 AM
Our problem turned out to be within the Oracle application the users were using, and not with the connection. The database administrators tweaked a timeout parameter, and that resolved the issue.
02-19-2009 11:21 AM
Really? So the oracle app was causing your VPN to disconnect periodically?
02-19-2009 11:51 AM
Users were reporting their sessions were breaking. I looked at the logs from the ASA and based on the messages (like "PHASE 1 Completed", I was assumed the tunnel was breaking and then reforming, and that's what was causing the session disconnect. Speaking further with the users, I found that some sessions did not get disconnected, but this one Oracle app always did. So I had the user send the screen shot of the error that she received when her session broke. I googled it and found a timeout issue caused by a parameter in a *.ora file. I had the DBA change the parameter to see if it resolved the user's issue, and as far as I know, it did. I don't work that closely with Cisco, so perhaps the messages I thought indicated a break in the tunnel actually were just normal messages. I just know the user is no longer complaining of session disruptions. Good luck ... I hope you find an answer to your issue.
02-20-2009 11:04 AM
Recently we found a problem with windows 2003 that it did not do DPD or something like that. Anyway we hacked the registery and it works fine now. I will review and post details shortly
Bill
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide