Re: [fw-wiz] Cisco VPN reconnection every 23 minutes



On IPSec negotiation, the rekey is based on lifetime or bytes. when
negotiation
takes place, the lowest value is always used. So it does not matter if one
is
higher than the other, the negotiation does not have to agree on the
lifetime/byte values.

Correct , i just adjusted the lifetime value on PEER1 to the value on PEER2.

What i still dont understand is there are two different reasons for a disconnection:

1) Peer Terminate
2) User Requested

Which peer and what user is this?

The only thing i found is that User Requested is sometimes a reason for a connection lost.
Or does it means PPER2 initiated the disconnect?



Are you running IPSec VPN with udp encapsulation?

ipsec-udp disable (see config below)


No i dont (UDP diabled). It uses TCP.


I have seen problems with them, because some SOHO firewalls like netgear
etc,
treat them as UDP connections and closes the state after a predetermined
amount
of time.

The way that you can see is if you run tcpdump/ethereal you will see heck
a lot
of UDP packets going between the client and the VPN concentrator.

If that is the case, two ways to fix it:

1. Disable SPI on the SOHO router/firewall (very bad, not recommended)
2. Disable UDP encapsulation and enable ESP to flow, i.e you will see
protocol
50 for the IP header, instead of protocol 17, all newer routers/firewalls
allow
them through.

What i see is that the client on PEER1 is trying to send a TCP Retransmission packet after the tunnel got disconnected.


Can you forward crypto config from the Cisco VPN concentrator?



===== Crypto map =====

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map outside_map 61 match address outside_61_cryptomap
crypto map outside_map 61 set pfs
crypto map outside_map 61 set peer REMOTE_PEER_IP
crypto map outside_map 61 set transform-set ESP-3DES-MD5
crypto map outside_map 61 set security-association lifetime seconds 3600

crypto map outside_map interface outside
crypto isakmp enable outside

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group REMOTE_PEER_IP type ipsec-l2l
tunnel-group REMOTE_PEER_IP general-attributes
default-group-policy vpn-unlimited
tunnel-group REMOTE_PEER_IP ipsec-attributes
pre-shared-key *


====== Group Policy =====

group-policy vpn-unlimited attributes
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock value REMOTE_PEER_IP
pfs disable
ipsec-udp disable
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
client-firewall none
client-access-rule none
webvpn
functions none
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization none
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client 60
svc dpd-interval gateway 60
svc compression deflate
vpn-nac-exempt none


show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 61, local addr: LOCAL_PEER1_IP

access-list outside_61_cryptomap permit ip LOCAL_LAN_NET_IP LOCAL_LAN_NET_MASK host REMOTE_LAN_IP
local ident (addr/mask/prot/port): (LOCAL_LAN_NET_IP/LOCAL_LAN_NET_MASK/0/0)
remote ident (addr/mask/prot/port): (REMOTE_LAN_IP/255.255.255.255/0/0)
current_peer: REMOTE_PEER_IP

#pkts encaps: 20, #pkts encrypt: 20, #pkts digest: 20
#pkts decaps: 19, #pkts decrypt: 19, #pkts verify: 19
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 20, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: LOCAL_PEER1_IP, remote crypto endpt.: REMOTE_PEER_IP

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: A2E47E62

inbound esp sas:
spi: 0x8A930C7F (2324892799)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 4433, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3824999/3341)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xA2E47E62 (2732883554)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 4433, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3824998/3341)
IV size: 8 bytes
replay detection support: Y


On all INTERFACEs it is

fragmentation INTERFACE before-encryption


show crypto isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: REMOTE_PEER_IP
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE


show crypto isakmp ipsec-over-tcp stats

Global IPSec over TCP Statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0

show crypto protocol statistics all
[IKEv1 statistics]
Encrypt packet requests: 120048
Encapsulate packet requests: 120048
Decrypt packet requests: 117999
Decapsulate packet requests: 117999
HMAC calculation requests: 146409
SA creation requests: 1686
SA rekey requests: 22
SA deletion requests: 4891
Next phase key allocation requests: 6092
Random number generation requests: 0
Failed requests: 0
[IKEv2 statistics]
Encrypt packet requests: 0
Encapsulate packet requests: 0
Decrypt packet requests: 0
Decapsulate packet requests: 0
HMAC calculation requests: 0
SA creation requests: 0
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0
[IPsec statistics]
Encrypt packet requests: 127490
Encapsulate packet requests: 127490
Decrypt packet requests: 119951
Decapsulate packet requests: 119951
HMAC calculation requests: 247441
SA creation requests: 6062
SA rekey requests: 30
SA deletion requests: 6482
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0
[SSL statistics]
Encrypt packet requests: 398182
Encapsulate packet requests: 398182
Decrypt packet requests: 4875
Decapsulate packet requests: 4875
HMAC calculation requests: 403057
SA creation requests: 3967
SA rekey requests: 0
SA deletion requests: 3967
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0
[SSH statistics are not supported]
[SRTP statistics are not supported]
[Other statistics]
Encrypt packet requests: 0
Encapsulate packet requests: 0
Decrypt packet requests: 0
Decapsulate packet requests: 0
HMAC calculation requests: 16362
SA creation requests: 0
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 30568
Failed requests: 0


show crypto accelerator statistics

Crypto Accelerator Status
-------------------------
[Capability]
Supports hardware crypto: True
Supports modular hardware crypto: False
Max accelerators: 1
Max crypto throughput: 50 Mbps
Max crypto connections: 250
[Global Statistics]
Number of active accelerators: 1
Number of non-operational accelerators: 0
Input packets: 124682
Input bytes: 18397412
Output packets: 525537
Output error packets: 0
Output bytes: 143599804

[Accelerator 0]
Status: OK
Software crypto engine
Slot: 0
Active time: 14256241 seconds
Total crypto transforms: 55911
Total dropped packets: 0
[Input statistics]
Input packets: 0
Input bytes: 83248
Input hashed packets: 0
Input hashed bytes: 0
Decrypted packets: 0
Decrypted bytes: 83248
[Output statistics]
Output packets: 0
Output bad packets: 0
Output bytes: 597288
Output hashed packets: 0
Output hashed bytes: 0
Encrypted packets: 0
Encrypted bytes: 597496
[Diffie-Hellman statistics]
Keys generated: 0
Secret keys derived: 0
[RSA statistics]
Keys generated: 15
Signatures: 14
Verifications: 0
Encrypted packets: 0
Encrypted bytes: 0
Decrypted packets: 0
Decrypted bytes: 0
[DSA statistics]
Keys generated: 0
Signatures: 0
Verifications: 0
[SSL statistics]
Outbound records: 0
Inbound records: 0
[RNG statistics]
Random number requests: 97
Random number request failures: 0

[Accelerator 1]
Status: OK
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x 0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
Slot: 1
Active time: 14256255 seconds
Total crypto transforms: 1307288
Total dropped packets: 0
[Input statistics]
Input packets: 124683
Input bytes: 18314428
Input hashed packets: 119809
Input hashed bytes: 9333356
Decrypted packets: 124684
Decrypted bytes: 14084580
[Output statistics]
Output packets: 525539
Output bad packets: 0
Output bytes: 143003844
Output hashed packets: 127357
Output hashed bytes: 13210864
Encrypted packets: 525539
Encrypted bytes: 136827532
[Diffie-Hellman statistics]
Keys generated: 3281
Secret keys derived: 2832
[RSA statistics]
Keys generated: 0
Signatures: 0
Verifications: 0
Encrypted packets: 0
Encrypted bytes: 0
Decrypted packets: 0
Decrypted bytes: 0
[DSA statistics]
Keys generated: 0
Signatures: 0
Verifications: 0
[SSL statistics]
Outbound records: 398182
Inbound records: 4875
[RNG statistics]
Random number requests: 30465
Random number request failures: 0


Hope this helps.
Prabhu
-


Paul Murphy wrote:
Have you checked your rekey duration on both sides? It looks like one
peer
has a considerably shorter rekey value.

Thanks,

Paul Murphy






ditribar@xxxxxx

Sent by:

firewall-wizards-
To
bounces@listserv.
firewall-wizards@xxxxxxxxxxxxxxxxxx
icsalabs.com
cc



Subject
05/31/2007 12:24 [fw-wiz] Cisco VPN reconnection

PM every 23 minutes





Please respond to

Firewall Wizards

Security Mailing

List

<firewall-wizards

@listserv.icsalab

s.com>









can anybody help me to solve the following problem?

A VPN Tunnel is established and working so far, but the connection
gets
reconnected about every 23 minutes.

Here are some logs whats happening on PEER1 (AAA.BBB.CCC.DDD) (CISCO
ASA 5500):

Peer connect

2007-05-31T17:30:08+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713041: IP
=
REMOTE_PEER_IP, IKE Initiator: New Phase 1, Intf inside, IKE Peer
REMOTE_PEER_IP local Proxy Address LOCAL_PROXY_IP, remote Proxy Address
REMOTE_LAN_IP, Crypto map (outside_map)
2007-05-31T17:30:10+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-713903:
Group = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Freeing previously
allocated
memory for authorization-dn-attributes
2007-05-31T17:30:10+0100 AAA.BBB.CCC.DDD err local4 %ASA-3-713119: Group
=
REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 1 COMPLETED
2007-05-31T17:30:11+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713073:
Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Responder forcing change of IPSec
rekeying duration from 28800 to 3600 seconds
2007-05-31T17:30:11+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713049:
Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Security negotiation complete for
LAN-to-LAN Group (REMOTE_PEER_IP) Initiator, Inbound SPI = 0x8d72d873,
Outbound SPI = 0xee7d09b6
2007-05-31T17:30:11+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713120:
Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 2 COMPLETED
(msgid=2a2a6615)

Peer disconnect again

2007-05-31T17:53:46+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713050:
Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Connection terminated for peer
REMOTE_PEER_IP. Reason: Peer Terminate Remote Proxy N/A, Local Proxy
N/A
2007-05-31T17:53:46+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-113019:
Group = REMOTE_PEER_IP, Username = REMOTE_PEER_IP, IP = REMOTE_PEER_IP,
Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:23m:36s,
Bytes xmt: 6572, Bytes rcv: 7772, Reason: User Requested
2007-05-31T17:53:58+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713041: IP
=
REMOTE_PEER_IP, IKE Initiator: New Phase 1, Intf inside, IKE Peer
REMOTE_PEER_IP local Proxy Address LOCAL_PROXY_IP, remote Proxy Address
REMOTE_LAN_IP, Crypto map (outside_map)
2007-05-31T17:54:00+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-713903:
Group = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Freeing previously
allocated
memory for authorization-dn-attributes
2007-05-31T17:54:00+0100 AAA.BBB.CCC.DDD err local4 %ASA-3-713119: Group
=
REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 1 COMPLETED
2007-05-31T17:54:01+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713073:
Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Responder forcing change of IPSec
rekeying duration from 28800 to 3600 seconds
2007-05-31T17:54:01+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713049:
Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Security negotiation complete for
LAN-to-LAN Group (REMOTE_PEER_IP) Initiator, Inbound SPI = 0x695fe990,
Outbound SPI = 0x792e9c57
2007-05-31T17:54:01+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713120:
Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 2 COMPLETED
(msgid=b6a126bc)

Manual disconnect

2007-05-31T18:00:32+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-113019:
Group = REMOTE_PEER_IP, Username = REMOTE_PEER_IP, IP = REMOTE_PEER_IP,
Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:06m:31s,
Bytes xmt: 0, Bytes rcv: 0, Reason: Administrator Reset
2007-05-31T18:00:32+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713050:
Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Connection terminated for peer
REMOTE_PEER_IP. Reason: Administrator Reset Remote Proxy
REMOTE_LAN_IP,
Local Proxy LOCAL_PROXY_IP
2007-05-31T18:00:39+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713041: IP
=
REMOTE_PEER_IP, IKE Initiator: New Phase 1, Intf inside, IKE Peer
REMOTE_PEER_IP local Proxy Address LOCAL_PROXY_IP, remote Proxy Address
REMOTE_LAN_IP, Crypto map (outside_map)
2007-05-31T18:00:40+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-713903:
Group = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Freeing previously
allocated
memory for authorization-dn-attributes
2007-05-31T18:00:40+0100 AAA.BBB.CCC.DDD err local4 %ASA-3-713119: Group
=
REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 1 COMPLETED
2007-05-31T18:00:41+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713073:
Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Responder forcing change of IPSec
rekeying duration from 28800 to 3600 seconds
2007-05-31T18:00:41+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713049:
Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Security negotiation complete for
LAN-to-LAN Group (REMOTE_PEER_IP) Initiator, Inbound SPI = 0x6bccacec,
Outbound SPI = 0x7a216c5f
2007-05-31T18:00:41+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713120:
Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 2 COMPLETED
(msgid=fe0bd283)

Peer disconnect again

2007-05-31T18:24:12+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713050:
Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Connection terminated for peer
REMOTE_PEER_IP. Reason: Peer Terminate Remote Proxy N/A, Local Proxy
N/A
2007-05-31T18:24:12+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-113019:
Group = REMOTE_PEER_IP, Username = REMOTE_PEER_IP, IP = REMOTE_PEER_IP,
Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:23m:32s,
Bytes xmt: 6104, Bytes rcv: 6616, Reason: User Requested
2007-05-31T18:25:52+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713041: IP
=
REMOTE_PEER_IP, IKE Initiator: New Phase 1, Intf inside, IKE Peer
REMOTE_PEER_IP local Proxy Address LOCAL_PROXY_IP, remote Proxy Address
REMOTE_LAN_IP, Crypto map (outside_map)
2007-05-31T18:25:54+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-713903:
Group = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Freeing previously
allocated
memory for authorization-dn-attributes
2007-05-31T18:25:54+0100 AAA.BBB.CCC.DDD err local4 %ASA-3-713119: Group
=
REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 1 COMPLETED
2007-05-31T18:25:55+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713073:
Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Responder forcing change of IPSec
rekeying duration from 28800 to 3600 seconds
2007-05-31T18:25:55+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713049:
Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Security negotiation complete for
LAN-to-LAN Group (REMOTE_PEER_IP) Initiator, Inbound SPI = 0xba41c143,
Outbound SPI = 0xb16e5642
2007-05-31T18:25:55+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713120:
Group
= REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 2 COMPLETED
(msgid=c825a866)

..... disconnect occurs about every 23 minutes


Any ideas?

Kind regards

ditribar
--
Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten
Browser-Versionen downloaden: http://www.gmx.net/de/go/browser
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

--
GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards