- Cisco Community
- Technology and Support
- Security
- VPN
- VPN Tunnel Dropping Connection
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
VPN Tunnel Dropping Connection
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2012 11:34 PM
I have setup a VPN tunnel between a Cisco RV042 and a VPN Concentrator 3000. The connection drops in around/within 30 minutes, but other than some routing issues it generally works. The tunnel does not reconnect (automatically or manually by clicking the connect button on the RV042) until I restart both devices.
I have setup a script to ping it every 5 minutes to keep activity. I changed the values of both SA lifetimes and on both devices. Both devices match but the phases are different timing. I have tried disabling the keep alives on both devices. It still drops but then of course neither device knows it. I have also tried with and without NAT-T on both sides, just in case.
I examined the logs.
When I then clicked the connect button on the RV042 to try and initiate the connection after the drop:
RV042:
packet from 65.131.10.128:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
packet from 65.131.10.128:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
packet from 65.131.10.128:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
packet from 65.131.10.128:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
packet from 65.131.10.128:500: ignoring Vendor ID payload [4048b7d56ebce88525e7de7f00d6c2d3c0000000]
packet from 65.131.10.128:500: ignoring Vendor ID payload [4048b7d56ebce88525e7de7f00d6c2d3c0000000]
packet from 65.131.10.128:500: [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet
packet from 65.131.10.128:500: [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet
packet from 65.131.10.128:500: [Max][Max][Max] isa_rcookie
packet from 65.131.10.128:500: [Max][Max][Max] isa_rcookie
ERROR: asynchronous network error report on eth1 for message to 65.131.10.128 port 500, complainant 65.131.10.128: Connection refused [errno 146, origin ICMP type 3 code 3 (not authenticated)]
And on VPN Concentrator 3000:
73 06/04/2012 15:14:14.270 SEV=4 IKE/41 RPT=5 249.21.27.124
IKE Initiator: New Phase 1, Intf 2, IKE Peer 249.21.27.124
local Proxy Address 172.0.0.0, remote Proxy Address 172.40.10.0,
SA (L2L: To Remote)
Currently I have the Keep Alive setting on only one side (as stated in another post).
The current setup is as follows:
RV042 (249.21.27.124 | 172.40.10.1) Remote Site
Phase 1: 3DES-MD5-DH1 86400
Phase 2: 3DES-MD5-DH1 28800
Keep Alive
DPD 10
VPN Concentrator (65.131.10.128 | 172.20.1.2) Main Site
IKE Proposal: 3DES-MD5-DH1 86400
IPSec SA: 3DES-MD5 28800
Keep Alives Off
Cofindence Interval: 10
PSF is off on both.
Thanks!
UPDATE:
I switched all encryptions to 3DES-SHA when I could no longer get the tunnel up with the previous settings. Tunnel will stay up about 20 minutes. Even with the keep alive and DPD settings on the RV042, I see nothing in either logs when the connection drops (the tunnel sessions acts as if it is still alive). However, I will try to replicate the errors I originally got with both Keep Alives on and post them here.
Asynchronous network error keeps happening after trying to reinitialize. Logs look a little different this time (with what feels like the cleanest settings).
Jun 5 09:03:44 2012 VPN Log ERROR: asynchronous network error report on eth1 for message to 65.131.10.128 port 500, complainant 65.131.10.128: Connection refused [errno 146, origin ICMP type 3 code 3 (not authenticated)]
Jun 5 09:04:24 2012 VPN Log ERROR: asynchronous network error report on eth1 for message to 65.131.10.128 port 500, complainant 65.131.10.128: Connection refused [errno 146, origin ICMP type 3 code 3 (not authenticated)]
Jun 5 09:05:04 2012 VPN Log ERROR: asynchronous network error report on eth1 for message to 65.131.10.128 port 500, complainant 65.131.10.128: Connection refused [errno 146, origin ICMP type 3 code 3 (not authenticated)]
Jun 5 09:05:09 2012 VPN Log (g2gips0): deleting connection
Jun 5 09:05:09 2012 VPN Log (g2gips0) #14: deleting state (STATE_MAIN_I1)
Jun 5 09:05:09 2012 VPN Log added connection description (g2gips0)
Jun 5 09:05:09 2012 VPN Log listening for IKE messages
Jun 5 09:05:09 2012 VPN Log forgetting secrets
Jun 5 09:05:09 2012 VPN Log loading secrets from '/etc/ipsec.d/ipsec.secrets'
Jun 5 09:05:09 2012 VPN Log (g2gips0) #15: initiating Main Mode
Jun 5 09:05:09 2012 VPN Log (g2gips0) #15: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Jun 5 09:05:09 2012 VPN Log (g2gips0) #15: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Jun 5 09:05:09 2012 VPN Log ERROR: asynchronous network error report on eth1 for message to 65.131.10.128 port 500, complainant 65.131.10.128: Connection refused [errno 146, origin ICMP type 3 code 3 (not authenticated)]
A little later, unique messages between asynchronous errors:
Jun 5 09:15:14 2012 VPN Log packet from 65.131.10.128:500: [Max][Max][Max] isa_rcookie
Jun 5 09:15:14 2012 VPN Log packet from 65.131.10.128:500: [Max][Max][Max] isa_rcookie
Jun 5 09:16:14 2012 VPN Log (g2gips0) #16: max number of retransmissions (2) reached STATE_MAIN_R1
Jun 5 09:16:14 2012 VPN Log (g2gips0) #16: max number of retransmissions (2) reached STATE_MAIN_R1
Jun 5 09:18:19 2012 VPN Log (g2gips0) #15: max number of retransmissions (20) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
Jun 5 09:18:19 2012 VPN Log (g2gips0) #15: max number of retransmissions (20) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
Jun 5 09:18:19 2012 VPN Log (g2gips0) #15: starting keying attempt 2 of an unlimited number
Jun 5 09:18:19 2012 VPN Log (g2gips0) #17: initiating Main Mode to replace #15
Jun 5 09:18:19 2012 VPN Log (g2gips0) #17: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Jun 5 09:18:19 2012 VPN Log (g2gips0) #17: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Jun 5 09:18:19 2012 VPN Log ERROR: asynchronous network error report on eth1 for message to 65.131.10.128 port 500, complainant 65.131.10.128: Connection refused [errno 146, origin ICMP type 3 code 3 (not authenticated)]
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-05-2012 08:11 AM
Both Keep Alives settings on.
Here is the logs.
RV042 Connection Established:
Jun 5 09:29:30 2012 VPN Log (g2gips0) #17: [Tunnel Negotiation Info] <<< Initiator Received Main Mode 4th packet
Jun 5 09:29:30 2012 VPN Log (g2gips0) #17: [Tunnel Negotiation Info] <<< Initiator Received Main Mode 4th packet
Jun 5 09:29:30 2012 VPN Log (g2gips0) #17: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 5th packet
Jun 5 09:29:30 2012 VPN Log (g2gips0) #17: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 5th packet
Jun 5 09:29:30 2012 VPN Log (g2gips0) #17: received Vendor ID payload [Dead Peer Detection]
Jun 5 09:29:30 2012 VPN Log (g2gips0) #17: received Vendor ID payload [Dead Peer Detection]
Jun 5 09:29:30 2012 VPN Log (g2gips0) #17: [Tunnel Negotiation Info] >>> Initiator Receive Main Mode 6th packet
Jun 5 09:29:30 2012 VPN Log (g2gips0) #17: [Tunnel Negotiation Info] >>> Initiator Receive Main Mode 6th packet
Jun 5 09:29:30 2012 VPN Log (g2gips0) #17: Peer ID is ID_IPV4_ADDR: '65.131.10.128'
Jun 5 09:29:30 2012 VPN Log (g2gips0) #17: [Tunnel Negotiation Info] Main Mode Phase 1 SA Established
Jun 5 09:29:30 2012 VPN Log (g2gips0) #17: [Tunnel Negotiation Info] Main Mode Phase 1 SA Established
Jun 5 09:29:30 2012 VPN Log (g2gips0) #17: ISAKMP SA established
Jun 5 09:29:30 2012 VPN Log (g2gips0) #18: initiating Quick Mode PSK+ENCRYPT+TUNNEL {using isakmp#17}
Jun 5 09:29:30 2012 VPN Log (g2gips0) #18: [Tunnel Negotiation Info] >>> Initiator send Quick Mode 1st packet
Jun 5 09:29:30 2012 VPN Log (g2gips0) #18: [Tunnel Negotiation Info] >>> Initiator send Quick Mode 1st packet
Jun 5 09:29:30 2012 VPN Log (g2gips0) #18: [Tunnel Negotiation Info] <<< Initiator Received Quick Mode 2nd packet
Jun 5 09:29:30 2012 VPN Log (g2gips0) #18: [Tunnel Negotiation Info] <<< Initiator Received Quick Mode 2nd packet
Jun 5 09:29:30 2012 VPN Log (g2gips0) #18: esp_ealg_id=3-3,esp_ealg_keylen=0, key_len=192,esp_aalg_id=2-2.
Jun 5 09:29:30 2012 VPN Log (g2gips0) #18: esp_ealg_id=3-3,esp_ealg_keylen=0, key_len=192,esp_aalg_id=2-2.
Jun 5 09:29:30 2012 VPN Log (g2gips0) #18: [Tunnel Negotiation Info] Inbound SPI value = b4ccd339
Jun 5 09:29:30 2012 VPN Log (g2gips0) #18: [Tunnel Negotiation Info] Inbound SPI value = b4ccd339
Jun 5 09:29:30 2012 VPN Log (g2gips0) #18: [Tunnel Negotiation Info] Outbound SPI value = 6e292749
Jun 5 09:29:30 2012 VPN Log (g2gips0) #18: [Tunnel Negotiation Info] Outbound SPI value = 6e292749
Jun 5 09:29:30 2012 VPN Log (g2gips0) #18: [Tunnel Negotiation Info] >>> Initiator Send Quick Mode 3rd packet
Jun 5 09:29:30 2012 VPN Log (g2gips0) #18: [Tunnel Negotiation Info] >>> Initiator Send Quick Mode 3rd packet
Jun 5 09:29:30 2012 VPN Log (g2gips0) #18: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
Jun 5 09:29:30 2012 VPN Log (g2gips0) #18: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
Jun 5 09:29:30 2012 VPN Log (g2gips0) #18: Dead Peer Detection (RFC 3706) enabled
Jun 5 09:29:30 2012 VPN Log (g2gips0) #18: sent QI2, IPsec SA established {ESP=>0x6e292749 <0xb4ccd339
RV042 Connection Drops:
Jun 5 09:51:01 2012 VPN Log ERROR: asynchronous network error report on eth1 for message to 65.131.10.128 port 500, complainant 65.131.10.128: Connection refused [errno 146, origin ICMP type 3 code 3 (not authenticated)]
Jun 5 09:51:26 2012 Kernel last message repeated 3 times
Jun 5 09:51:36 2012 VPN Log (g2gips0) #17: received Delete SA(0x6e292749) payload: deleting IPSEC State #18
Jun 5 09:51:36 2012 VPN Log (g2gips0) #17: received Delete SA(0x6e292749) payload: deleting IPSEC State #18
Jun 5 09:51:36 2012 VPN Log ERROR: asynchronous network error report on eth1 for message to 65.131.10.128 port 500, complainant 65.131.10.128: Connection refused [errno 146, origin ICMP type 3 code 3 (not authenticated)]
Jun 5 09:51:36 2012 VPN Log (g2gips0) #17: received Delete SA payload: deleting ISAKMP State #17
Jun 5 09:51:36 2012 VPN Log (g2gips0) #17: received Delete SA payload: deleting ISAKMP State #17
Jun 5 09:51:36 2012 VPN Log (g2gips0) #19: initiating Main Mode
Jun 5 09:51:36 2012 VPN Log (g2gips0) #19: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Jun 5 09:51:36 2012 VPN Log (g2gips0) #19: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Jun 5 09:51:36 2012 VPN Log ERROR: asynchronous network error report on eth1 for message to 65.131.10.128 port 500, complainant 65.131.10.128: Connection refused [errno 146, origin ICMP type 3 code 3 (not authenticated)]
Jun 5 09:52:06 2012 Kernel last message repeated 3 times
VPN Concentrator Connection Drops:
46 06/05/2012 09:50:51.180 SEV=4 IKE/123 RPT=1 249.21.27.124
Group [249.21.27.124]
IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
48 06/05/2012 09:50:51.190 SEV=4 AUTH/23 RPT=1 249.21.27.124
User [249.21.27.124] Group [249.21.27.124] disconnected: duration: 0:22:06
49 06/05/2012 09:50:51.190 SEV=4 AUTH/85 RPT=1
LAN-to-LAN tunnel to headend device 249.21.27.124 disconnected: duration: 0:22:
06
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide