cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6886
Views
0
Helpful
1
Replies

VPN Tunnel Dropping Connection

ndeinlein
Level 1
Level 1

I have setup a VPN tunnel between a Cisco RV042 and a VPN Concentrator 3000. The connection drops in around/within 30 minutes, but other than some routing issues it generally works. The tunnel does not reconnect (automatically or manually by clicking the connect button on the RV042) until I restart both devices.

I have setup a script to ping it every 5 minutes to keep activity. I changed the values of both SA lifetimes and on both devices. Both devices match but the phases are different timing. I have tried disabling the keep alives on both devices. It still drops but then of course neither device knows it. I have also tried with and without NAT-T on both sides, just in case.

I examined the logs.

When I then clicked the connect button on the RV042 to try and initiate the connection after the drop:

RV042:

packet from 65.131.10.128:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]

packet from 65.131.10.128:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]

packet from 65.131.10.128:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]

packet from 65.131.10.128:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]

packet from 65.131.10.128:500: ignoring Vendor ID payload [4048b7d56ebce88525e7de7f00d6c2d3c0000000]

packet from 65.131.10.128:500: ignoring Vendor ID payload [4048b7d56ebce88525e7de7f00d6c2d3c0000000]

packet from 65.131.10.128:500: [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet

packet from 65.131.10.128:500: [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet

packet from 65.131.10.128:500: [Max][Max][Max] isa_rcookie

packet from 65.131.10.128:500: [Max][Max][Max] isa_rcookie

ERROR: asynchronous network error report on eth1 for message to 65.131.10.128 port 500, complainant 65.131.10.128: Connection refused [errno 146, origin ICMP type 3 code 3 (not authenticated)]

And on VPN Concentrator 3000:

73 06/04/2012 15:14:14.270 SEV=4 IKE/41 RPT=5 249.21.27.124

IKE Initiator: New Phase 1, Intf 2, IKE Peer 249.21.27.124

local Proxy Address 172.0.0.0, remote Proxy Address 172.40.10.0,

SA (L2L: To Remote)

Currently I have the Keep Alive setting on only one side (as stated in another post).

The current setup is as follows:

RV042 (249.21.27.124 | 172.40.10.1) Remote Site

Phase 1: 3DES-MD5-DH1 86400

Phase 2: 3DES-MD5-DH1 28800

Keep Alive

DPD 10

VPN Concentrator (65.131.10.128 | 172.20.1.2) Main Site

IKE Proposal: 3DES-MD5-DH1 86400

IPSec SA: 3DES-MD5 28800

Keep Alives Off

Cofindence Interval: 10

PSF is off on both.

Thanks!

UPDATE:

I switched all encryptions to 3DES-SHA when I could no longer get the tunnel up with the previous settings. Tunnel will stay up about 20 minutes. Even with the keep alive and DPD settings on the RV042, I see nothing in either logs when the connection drops (the tunnel sessions acts as if it is still alive). However, I will try to replicate the errors I originally got with both Keep Alives on and post them here.

Asynchronous network error keeps happening after trying to reinitialize. Logs look a little different this time (with what feels like the cleanest settings).

Jun 5 09:03:44 2012           VPN Log           ERROR: asynchronous network error report on eth1 for message to 65.131.10.128 port 500, complainant 65.131.10.128: Connection refused [errno 146, origin ICMP type 3 code 3 (not authenticated)]

Jun 5 09:04:24 2012           VPN Log           ERROR: asynchronous network error report on eth1 for message to 65.131.10.128 port 500, complainant 65.131.10.128: Connection refused [errno 146, origin ICMP type 3 code 3 (not authenticated)]

Jun 5 09:05:04 2012           VPN Log           ERROR: asynchronous network error report on eth1 for message to 65.131.10.128 port 500, complainant 65.131.10.128: Connection refused [errno 146, origin ICMP type 3 code 3 (not authenticated)]

Jun 5 09:05:09 2012           VPN Log           (g2gips0): deleting connection

Jun 5 09:05:09 2012           VPN Log           (g2gips0) #14: deleting state (STATE_MAIN_I1)

Jun 5 09:05:09 2012           VPN Log           added connection description (g2gips0)

Jun 5 09:05:09 2012           VPN Log           listening for IKE messages

Jun 5 09:05:09 2012           VPN Log           forgetting secrets

Jun 5 09:05:09 2012           VPN Log           loading secrets from '/etc/ipsec.d/ipsec.secrets'

Jun 5 09:05:09 2012           VPN Log           (g2gips0) #15: initiating Main Mode

Jun 5 09:05:09 2012           VPN Log           (g2gips0) #15: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet

Jun 5 09:05:09 2012           VPN Log           (g2gips0) #15: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet

Jun 5 09:05:09 2012           VPN Log           ERROR: asynchronous network error report on eth1 for message to 65.131.10.128 port 500, complainant 65.131.10.128: Connection refused [errno 146, origin ICMP type 3 code 3 (not authenticated)]

A little later, unique messages between asynchronous errors:

Jun 5 09:15:14 2012           VPN Log           packet from 65.131.10.128:500: [Max][Max][Max] isa_rcookie

Jun 5 09:15:14 2012           VPN Log           packet from 65.131.10.128:500: [Max][Max][Max] isa_rcookie

Jun 5 09:16:14 2012           VPN Log           (g2gips0) #16: max number of retransmissions (2) reached STATE_MAIN_R1

Jun 5 09:16:14 2012           VPN Log           (g2gips0) #16: max number of retransmissions (2) reached STATE_MAIN_R1

Jun 5 09:18:19 2012           VPN Log           (g2gips0) #15: max number of retransmissions (20) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message

Jun 5 09:18:19 2012           VPN Log           (g2gips0) #15: max number of retransmissions (20) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message

Jun 5 09:18:19 2012           VPN Log           (g2gips0) #15: starting keying attempt 2 of an unlimited number

Jun 5 09:18:19 2012           VPN Log           (g2gips0) #17: initiating Main Mode to replace #15

Jun 5 09:18:19 2012           VPN Log           (g2gips0) #17: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet

Jun 5 09:18:19 2012           VPN Log           (g2gips0) #17: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet

Jun 5 09:18:19 2012           VPN Log           ERROR: asynchronous network error report on eth1 for message to 65.131.10.128 port 500, complainant 65.131.10.128: Connection refused [errno 146, origin ICMP type 3 code 3 (not authenticated)]

1 Reply 1

ndeinlein
Level 1
Level 1

Both Keep Alives settings on.

Here is the logs.

RV042 Connection Established:

Jun 5 09:29:30 2012           VPN Log           (g2gips0) #17: [Tunnel Negotiation Info] <<< Initiator Received Main Mode 4th packet

Jun 5 09:29:30 2012           VPN Log           (g2gips0) #17: [Tunnel Negotiation Info] <<< Initiator Received Main Mode 4th packet

Jun 5 09:29:30 2012           VPN Log           (g2gips0) #17: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 5th packet

Jun 5 09:29:30 2012           VPN Log           (g2gips0) #17: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 5th packet

Jun 5 09:29:30 2012           VPN Log           (g2gips0) #17: received Vendor ID payload [Dead Peer Detection]

Jun 5 09:29:30 2012           VPN Log           (g2gips0) #17: received Vendor ID payload [Dead Peer Detection]

Jun 5 09:29:30 2012           VPN Log           (g2gips0) #17: [Tunnel Negotiation Info] >>> Initiator Receive Main Mode 6th packet

Jun 5 09:29:30 2012           VPN Log           (g2gips0) #17: [Tunnel Negotiation Info] >>> Initiator Receive Main Mode 6th packet

Jun 5 09:29:30 2012           VPN Log           (g2gips0) #17: Peer ID is ID_IPV4_ADDR: '65.131.10.128'

Jun 5 09:29:30 2012           VPN Log           (g2gips0) #17: [Tunnel Negotiation Info] Main Mode Phase 1 SA Established

Jun 5 09:29:30 2012           VPN Log           (g2gips0) #17: [Tunnel Negotiation Info] Main Mode Phase 1 SA Established

Jun 5 09:29:30 2012           VPN Log           (g2gips0) #17: ISAKMP SA established

Jun 5 09:29:30 2012           VPN Log           (g2gips0) #18: initiating Quick Mode PSK+ENCRYPT+TUNNEL {using isakmp#17}

Jun 5 09:29:30 2012           VPN Log           (g2gips0) #18: [Tunnel Negotiation Info] >>> Initiator send Quick Mode 1st packet

Jun 5 09:29:30 2012           VPN Log           (g2gips0) #18: [Tunnel Negotiation Info] >>> Initiator send Quick Mode 1st packet

Jun 5 09:29:30 2012           VPN Log           (g2gips0) #18: [Tunnel Negotiation Info] <<< Initiator Received Quick Mode 2nd packet

Jun 5 09:29:30 2012           VPN Log           (g2gips0) #18: [Tunnel Negotiation Info] <<< Initiator Received Quick Mode 2nd packet

Jun 5 09:29:30 2012           VPN Log           (g2gips0) #18: esp_ealg_id=3-3,esp_ealg_keylen=0, key_len=192,esp_aalg_id=2-2.

Jun 5 09:29:30 2012           VPN Log           (g2gips0) #18: esp_ealg_id=3-3,esp_ealg_keylen=0, key_len=192,esp_aalg_id=2-2.

Jun 5 09:29:30 2012           VPN Log           (g2gips0) #18: [Tunnel Negotiation Info] Inbound SPI value = b4ccd339

Jun 5 09:29:30 2012           VPN Log           (g2gips0) #18: [Tunnel Negotiation Info] Inbound SPI value = b4ccd339

Jun 5 09:29:30 2012           VPN Log           (g2gips0) #18: [Tunnel Negotiation Info] Outbound SPI value = 6e292749

Jun 5 09:29:30 2012           VPN Log           (g2gips0) #18: [Tunnel Negotiation Info] Outbound SPI value = 6e292749

Jun 5 09:29:30 2012           VPN Log           (g2gips0) #18: [Tunnel Negotiation Info] >>> Initiator Send Quick Mode 3rd packet

Jun 5 09:29:30 2012           VPN Log           (g2gips0) #18: [Tunnel Negotiation Info] >>> Initiator Send Quick Mode 3rd packet

Jun 5 09:29:30 2012           VPN Log           (g2gips0) #18: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected

Jun 5 09:29:30 2012           VPN Log           (g2gips0) #18: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected

Jun 5 09:29:30 2012           VPN Log           (g2gips0) #18: Dead Peer Detection (RFC 3706) enabled

Jun 5 09:29:30 2012           VPN Log           (g2gips0) #18: sent QI2, IPsec SA established {ESP=>0x6e292749 <0xb4ccd339

RV042 Connection Drops:

Jun 5 09:51:01 2012           VPN Log           ERROR: asynchronous network error report on eth1 for message to 65.131.10.128 port 500, complainant 65.131.10.128: Connection refused [errno 146, origin ICMP type 3 code 3 (not authenticated)]

Jun 5 09:51:26 2012          Kernel           last message repeated 3 times

Jun 5 09:51:36 2012           VPN Log           (g2gips0) #17: received Delete SA(0x6e292749) payload: deleting IPSEC State #18

Jun 5 09:51:36 2012           VPN Log           (g2gips0) #17: received Delete SA(0x6e292749) payload: deleting IPSEC State #18

Jun 5 09:51:36 2012           VPN Log           ERROR: asynchronous network error report on eth1 for message to 65.131.10.128 port 500, complainant 65.131.10.128: Connection refused [errno 146, origin ICMP type 3 code 3 (not authenticated)]

Jun 5 09:51:36 2012           VPN Log           (g2gips0) #17: received Delete SA payload: deleting ISAKMP State #17

Jun 5 09:51:36 2012           VPN Log           (g2gips0) #17: received Delete SA payload: deleting ISAKMP State #17

Jun 5 09:51:36 2012           VPN Log           (g2gips0) #19: initiating Main Mode

Jun 5 09:51:36 2012           VPN Log           (g2gips0) #19: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet

Jun 5 09:51:36 2012           VPN Log           (g2gips0) #19: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet

Jun 5 09:51:36 2012           VPN Log           ERROR: asynchronous network error report on eth1 for message to 65.131.10.128 port 500, complainant 65.131.10.128: Connection refused [errno 146, origin ICMP type 3 code 3 (not authenticated)]

Jun 5 09:52:06 2012          Kernel           last message repeated 3 times

VPN Concentrator Connection Drops:

46 06/05/2012 09:50:51.180 SEV=4 IKE/123 RPT=1 249.21.27.124

Group [249.21.27.124]

IKE lost contact with remote peer, deleting connection (keepalive type: DPD)

48 06/05/2012 09:50:51.190 SEV=4 AUTH/23 RPT=1 249.21.27.124

User [249.21.27.124] Group [249.21.27.124] disconnected: duration: 0:22:06

49 06/05/2012 09:50:51.190 SEV=4 AUTH/85 RPT=1

LAN-to-LAN tunnel to headend device 249.21.27.124 disconnected: duration: 0:22:

06