Re: [fw-wiz] Cisco VPN reconnection every 23 minutes

---

• From: Prabhu Gurumurthy <pgurumu@xxxxxxxxx>
• Date: Fri, 01 Jun 2007 11:57:46 -0700

---

On IPSec negotiation, the rekey is based on lifetime or bytes. when negotiation
takes place, the lowest value is always used. So it does not matter if one is
higher than the other, the negotiation does not have to agree on the
lifetime/byte values.

Are you running IPSec VPN with udp encapsulation?
I have seen problems with them, because some SOHO firewalls like netgear etc,
treat them as UDP connections and closes the state after a predetermined amount
of time.

The way that you can see is if you run tcpdump/ethereal you will see heck a lot
of UDP packets going between the client and the VPN concentrator.

If that is the case, two ways to fix it:

1. Disable SPI on the SOHO router/firewall (very bad, not recommended)
2. Disable UDP encapsulation and enable ESP to flow, i.e you will see protocol
50 for the IP header, instead of protocol 17, all newer routers/firewalls allow
them through.

Can you forward crypto config from the Cisco VPN concentrator?

Hope this helps.
Prabhu
-


Paul Murphy wrote:

Have you checked your rekey duration on both sides? It looks like one peer
has a considerably shorter rekey value.

Thanks,

Paul Murphy





ditribar@xxxxxx
Sent by:
firewall-wizards- To
bounces@listserv. firewall-wizards@xxxxxxxxxxxxxxxxxx
icsalabs.com cc

Subject
05/31/2007 12:24 [fw-wiz] Cisco VPN reconnection
PM every 23 minutes


Please respond to
Firewall Wizards
Security Mailing
List
<firewall-wizards
@listserv.icsalab
s.com>






can anybody help me to solve the following problem?

A VPN Tunnel is established and working so far, but the connection gets
reconnected about every 23 minutes.

Here are some logs whats happening on PEER1 (AAA.BBB.CCC.DDD) (CISCO
ASA 5500):

Peer connect

2007-05-31T17:30:08+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713041: IP =
REMOTE_PEER_IP, IKE Initiator: New Phase 1, Intf inside, IKE Peer
REMOTE_PEER_IP local Proxy Address LOCAL_PROXY_IP, remote Proxy Address
REMOTE_LAN_IP, Crypto map (outside_map)
2007-05-31T17:30:10+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-713903:
Group = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Freeing previously allocated
memory for authorization-dn-attributes
2007-05-31T17:30:10+0100 AAA.BBB.CCC.DDD err local4 %ASA-3-713119: Group =
REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 1 COMPLETED
2007-05-31T17:30:11+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713073: Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Responder forcing change of IPSec
rekeying duration from 28800 to 3600 seconds
2007-05-31T17:30:11+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713049: Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Security negotiation complete for
LAN-to-LAN Group (REMOTE_PEER_IP) Initiator, Inbound SPI = 0x8d72d873,
Outbound SPI = 0xee7d09b6
2007-05-31T17:30:11+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713120: Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 2 COMPLETED (msgid=2a2a6615)

Peer disconnect again

2007-05-31T17:53:46+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713050: Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Connection terminated for peer
REMOTE_PEER_IP. Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A
2007-05-31T17:53:46+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-113019:
Group = REMOTE_PEER_IP, Username = REMOTE_PEER_IP, IP = REMOTE_PEER_IP,
Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:23m:36s,
Bytes xmt: 6572, Bytes rcv: 7772, Reason: User Requested
2007-05-31T17:53:58+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713041: IP =
REMOTE_PEER_IP, IKE Initiator: New Phase 1, Intf inside, IKE Peer
REMOTE_PEER_IP local Proxy Address LOCAL_PROXY_IP, remote Proxy Address
REMOTE_LAN_IP, Crypto map (outside_map)
2007-05-31T17:54:00+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-713903:
Group = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Freeing previously allocated
memory for authorization-dn-attributes
2007-05-31T17:54:00+0100 AAA.BBB.CCC.DDD err local4 %ASA-3-713119: Group =
REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 1 COMPLETED
2007-05-31T17:54:01+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713073: Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Responder forcing change of IPSec
rekeying duration from 28800 to 3600 seconds
2007-05-31T17:54:01+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713049: Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Security negotiation complete for
LAN-to-LAN Group (REMOTE_PEER_IP) Initiator, Inbound SPI = 0x695fe990,
Outbound SPI = 0x792e9c57
2007-05-31T17:54:01+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713120: Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 2 COMPLETED (msgid=b6a126bc)

Manual disconnect

2007-05-31T18:00:32+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-113019:
Group = REMOTE_PEER_IP, Username = REMOTE_PEER_IP, IP = REMOTE_PEER_IP,
Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:06m:31s,
Bytes xmt: 0, Bytes rcv: 0, Reason: Administrator Reset
2007-05-31T18:00:32+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713050: Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Connection terminated for peer
REMOTE_PEER_IP. Reason: Administrator Reset Remote Proxy REMOTE_LAN_IP,
Local Proxy LOCAL_PROXY_IP
2007-05-31T18:00:39+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713041: IP =
REMOTE_PEER_IP, IKE Initiator: New Phase 1, Intf inside, IKE Peer
REMOTE_PEER_IP local Proxy Address LOCAL_PROXY_IP, remote Proxy Address
REMOTE_LAN_IP, Crypto map (outside_map)
2007-05-31T18:00:40+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-713903:
Group = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Freeing previously allocated
memory for authorization-dn-attributes
2007-05-31T18:00:40+0100 AAA.BBB.CCC.DDD err local4 %ASA-3-713119: Group =
REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 1 COMPLETED
2007-05-31T18:00:41+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713073: Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Responder forcing change of IPSec
rekeying duration from 28800 to 3600 seconds
2007-05-31T18:00:41+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713049: Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Security negotiation complete for
LAN-to-LAN Group (REMOTE_PEER_IP) Initiator, Inbound SPI = 0x6bccacec,
Outbound SPI = 0x7a216c5f
2007-05-31T18:00:41+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713120: Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 2 COMPLETED (msgid=fe0bd283)

Peer disconnect again

2007-05-31T18:24:12+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713050: Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Connection terminated for peer
REMOTE_PEER_IP. Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A
2007-05-31T18:24:12+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-113019:
Group = REMOTE_PEER_IP, Username = REMOTE_PEER_IP, IP = REMOTE_PEER_IP,
Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:23m:32s,
Bytes xmt: 6104, Bytes rcv: 6616, Reason: User Requested
2007-05-31T18:25:52+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713041: IP =
REMOTE_PEER_IP, IKE Initiator: New Phase 1, Intf inside, IKE Peer
REMOTE_PEER_IP local Proxy Address LOCAL_PROXY_IP, remote Proxy Address
REMOTE_LAN_IP, Crypto map (outside_map)
2007-05-31T18:25:54+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-713903:
Group = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Freeing previously allocated
memory for authorization-dn-attributes
2007-05-31T18:25:54+0100 AAA.BBB.CCC.DDD err local4 %ASA-3-713119: Group =
REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 1 COMPLETED
2007-05-31T18:25:55+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713073: Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Responder forcing change of IPSec
rekeying duration from 28800 to 3600 seconds
2007-05-31T18:25:55+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713049: Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Security negotiation complete for
LAN-to-LAN Group (REMOTE_PEER_IP) Initiator, Inbound SPI = 0xba41c143,
Outbound SPI = 0xb16e5642
2007-05-31T18:25:55+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713120: Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 2 COMPLETED (msgid=c825a866)

..... disconnect occurs about every 23 minutes


Any ideas?

Kind regards

ditribar
--
Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten
Browser-Versionen downloaden: http://www.gmx.net/de/go/browser
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

---

• Follow-Ups:
  • Re: [fw-wiz] Cisco VPN reconnection every 23 minutes
    • From: ditribar

• Prev by Date: Re: [fw-wiz] Cisco VPN reconnection every 23 minutes
• Next by Date: Re: [fw-wiz] Cisco VPN reconnection every 23 minutes
• Previous by thread: Re: [fw-wiz] Cisco VPN reconnection every 23 minutes
• Next by thread: Re: [fw-wiz] Cisco VPN reconnection every 23 minutes
• Index(es):
  • Date
  • Thread

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > Firewall-Wizards  > 2007-06