IP SEC site-to-site terminates and establishes every 2,5 minutes

Question

Hi,

IPSec Client-SA is deleted every 2,5 minutes. Main-IPSec-SA stay avtive.

System: XGS v19.5




2023-01-26 15:58:42Z 20[NET] <STATION010-1|4> received packet: from 109.40.222.222[41135] to 111.222.333.444[4500] (1236 bytes)
2023-01-26 15:58:42Z 20[ENC] <STATION010-1|4> parsed CREATE_CHILD_SA request 6 [ EF(1/2) ]
2023-01-26 15:58:42Z 20[ENC] <STATION010-1|4> received fragment #1 of 2, waiting for complete IKE message
2023-01-26 15:58:42Z 15[NET] <STATION010-1|4> received packet: from 109.40.222.222[41135] to 111.222.333.444[4500] (244 bytes)
2023-01-26 15:58:42Z 15[ENC] <STATION010-1|4> parsed CREATE_CHILD_SA request 6 [ EF(2/2) ]
2023-01-26 15:58:42Z 15[ENC] <STATION010-1|4> received fragment #2 of 2, reassembling fragmented IKE message
2023-01-26 15:58:42Z 15[ENC] <STATION010-1|4> parsed CREATE_CHILD_SA request 6 [ SA No KE TSi TSr ]
2023-01-26 15:58:42Z 15[IKE] <STATION010-1|4> DH group MODP_4096 inacceptable, requesting MODP_2048
2023-01-26 15:58:42Z 15[IKE] <STATION010-1|4> failed to establish CHILD_SA, keeping IKE_SA
2023-01-26 15:58:42Z 15[ENC] <STATION010-1|4> generating CREATE_CHILD_SA response 6 [ N(INVAL_KE) ]
2023-01-26 15:58:42Z 15[NET] <STATION010-1|4> sending packet: from 111.222.333.444[4500] to 109.40.222.222[41135] (80 bytes)
2023-01-26 15:58:43Z 29[NET] <STATION010-1|4> received packet: from 109.40.222.222[41135] to 111.222.333.444[4500] (1152 bytes)
2023-01-26 15:58:43Z 29[ENC] <STATION010-1|4> parsed CREATE_CHILD_SA request 7 [ SA No KE TSi TSr ]
2023-01-26 15:58:43Z 29[KNL] <STATION010-1|4> ipsec_offload enabled
2023-01-26 15:58:43Z 29[KNL] <STATION010-1|4> ipsec_offload interface Port2_ppp
2023-01-26 15:58:43Z 29[KNL] <STATION010-1|4> ipsec_offload enabled
2023-01-26 15:58:43Z 29[KNL] <STATION010-1|4> ipsec_offload interface Port2_ppp
2023-01-26 15:58:43Z 29[IKE] <STATION010-1|4> CHILD_SA STATION010-1{29} established with SPIs c166c000_i c6a6566a_o and TS 192.168.200.0/24 === 192.168.201.74/32
2023-01-26 15:58:43Z 29[APP] <STATION010-1|4> [COP-UPDOWN] (ref_counting) ref_count: 0 to 1 ++ up ++ (192.168.200.0/24#192.168.201.74/32)
2023-01-26 15:58:43Z 29[APP] <STATION010-1|4> [COP-UPDOWN] (ref_counting_remote) ref_count_remote: 0 to 1 ++ up ++ (111.222.333.444#109.40.222.222#n)
2023-01-26 15:58:43Z 29[APP] <STATION010-1|4> [COP-UPDOWN] (cop_updown_invoke_once) UID: 4 Net: Local 111.222.333.444 Remote 109.40.222.222 Connection: STATION010 Fullname: STATION010-1
2023-01-26 15:58:43Z 29[APP] <STATION010-1|4> [COP-UPDOWN] (cop_updown_invoke_once) Tunnel: User '' Peer-IP '' my-IP '' up-client
2023-01-26 15:58:43Z 29[ENC] <STATION010-1|4> generating CREATE_CHILD_SA response 7 [ SA No KE TSi TSr ]
2023-01-26 15:58:43Z 29[NET] <STATION010-1|4> sending packet: from 111.222.333.444[4500] to 109.40.222.222[41135] (480 bytes)
2023-01-26 15:58:43Z 10[APP] [COP-UPDOWN][DB] (db_conn_info) hostname: 'STATION010' result --> id: '12', mode: 'ntn', tunnel_type: '0', subnet_family:'0'
2023-01-26 15:58:43Z 10[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) ---- exec remote updown ++ up ++
2023-01-26 15:58:43Z 10[APP] [COP-UPDOWN][SHELL] (run_shell) '/bin/service fwm:vpn_gateway_chains -t json -s nosync -b '{"local_server":"111.222.333.444","remote_server":"109.40.222.222","action":"enable","family":"0","conntype":"ntn","compress":"0"}'': success 0
2023-01-26 15:58:43Z 10[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) ---- exec subnet updown ++ up ++
2023-01-26 15:58:43Z 10[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) [NTN] NTN get actual...
2023-01-26 15:58:43Z 10[APP] [COP-UPDOWN][DB] (db_query) No data retrieved from query: 'SELECT ( nath.netid              || '/'               || nath.netmask ) AS natedlan FROM   tblvpnconnhostrel AS rel      JOIN tblhost AS h             ON h.hostid = rel.hostid          JOIN tblhost AS nath                ON rel .natedhost = nath.hostid WHERE  rel.connectionid = $1      AND rel.hostlocation = 'L'      AND h.netid = $2     AND h.netmask = $3 LIMIT  1;' status: 2 rows: 0
2023-01-26 15:58:43Z 10[APP]
2023-01-26 15:58:43Z 10[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) connection 'STATION010' using  interface 'ipsec0'
2023-01-26 15:58:43Z 10[APP] [COP-UPDOWN][NET] (get_src_ip) source address for 192.168.200.0 is IP: 192.168.110.30
2023-01-26 15:58:43Z 10[APP]
2023-01-26 15:58:43Z 10[APP] [COP-UPDOWN][SHELL] (run_shell) 'ip route add 192.168.201.74/32 dev ipsec0 src 192.168.110.30 table 220': success 0
2023-01-26 15:58:43Z 10[APP] [COP-UPDOWN] (add_routes) no routes to add for STATION010 on interface ipsec0
2023-01-26 15:58:43Z 10[APP] [COP-UPDOWN][SHELL] (run_shell) '/bin/service fwm:vpn_connection_chains -t json -s nosync -b '{"me":"111.222.333.444","peer":"109.40.222.222","mynet":"192.168.200.0/24","peernet":"192.168.201.74/32","connop":"1","iface":"Port2_ppp","myproto":"0","myport":"0","peerproto":"0","peerport":"0","conntype":"ntn","actnet":"","compress":"0","conn_id":"12"}'': success 0
2023-01-26 15:58:43Z 10[APP] [COP-UPDOWN][SHELL] (run_shell) 'conntrack -D --not-protonum=6 --inzone-outzone=2': success 0
2023-01-26 15:58:43Z 10[APP] [COP-UPDOWN][SHELL] (run_shell) 'conntrack -D --not-protonum=6 --inzone-outzone=5': error returned 1

....


2023-01-26 16:01:13Z 25[NET] <STATION010-1|4> received packet: from 109.40.222.222[41135] to 111.222.333.444[4500] (80 bytes)
2023-01-26 16:01:13Z 25[ENC] <STATION010-1|4> parsed INFORMATIONAL request 8 [ D ]
2023-01-26 16:01:13Z 25[IKE] <STATION010-1|4> received DELETE for ESP CHILD_SA with SPI c6a6566a
2023-01-26 16:01:13Z 25[IKE] <STATION010-1|4> closing CHILD_SA STATION010-1{29} with SPIs c166c000_i (0 bytes) c6a6566a_o (0 bytes) and TS 192.168.200.0/24 === 192.168.201.74/32
2023-01-26 16:01:13Z 25[IKE] <STATION010-1|4> sending DELETE for ESP CHILD_SA with SPI c166c000
2023-01-26 16:01:13Z 25[IKE] <STATION010-1|4> CHILD_SA closed
2023-01-26 16:01:13Z 25[APP] <STATION010-1|4> [COP-UPDOWN] (ref_counting) ref_count: 1 to 0 -- down -- (192.168.200.0/24#192.168.201.74/32)
2023-01-26 16:01:13Z 25[APP] <STATION010-1|4> [COP-UPDOWN] (ref_counting_remote) ref_count_remote: 1 to 0 -- down -- (111.222.333.444#109.40.222.222#n)
2023-01-26 16:01:13Z 25[APP] <STATION010-1|4> [COP-UPDOWN] (cop_updown_invoke_once) UID: 4 Net: Local 111.222.333.444 Remote 109.40.222.222 Connection: STATION010 Fullname: STATION010-1
2023-01-26 16:01:13Z 25[APP] <STATION010-1|4> [COP-UPDOWN] (cop_updown_invoke_once) Tunnel: User '' Peer-IP '' my-IP '' down-client
2023-01-26 16:01:13Z 25[ENC] <STATION010-1|4> generating INFORMATIONAL response 8 [ D ]
2023-01-26 16:01:13Z 25[NET] <STATION010-1|4> sending packet: from 111.222.333.444[4500] to 109.40.222.222[41135] (80 bytes)
2023-01-26 16:01:13Z 31[APP] [COP-UPDOWN][DB] (db_conn_info) hostname: 'STATION010' result --> id: '12', mode: 'ntn', tunnel_type: '0', subnet_family:'0'
2023-01-26 16:01:13Z 31[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) ---- exec remote updown -- down --
2023-01-26 16:01:13Z 31[APP] [COP-UPDOWN][SHELL] (run_shell) '/bin/service fwm:vpn_gateway_chains -t json -s nosync -b '{"local_server":"111.222.333.444","remote_server":"109.40.222.222","action":"disable","family":"0","conntype":"ntn","compress":"0"}'': success 0
2023-01-26 16:01:13Z 31[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) ---- exec subnet updown -- down --
2023-01-26 16:01:13Z 31[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) [NTN] NTN get actual...
2023-01-26 16:01:13Z 31[APP] [COP-UPDOWN][DB] (db_query) No data retrieved from query: 'SELECT ( nath.netid              || '/'               || nath.netmask ) AS natedlan FROM   tblvpnconnhostrel AS rel      JOIN tblhost AS h             ON h.hostid = rel.hostid          JOIN tblhost AS nath                ON rel .natedhost = nath.hostid WHERE  rel.connectionid = $1      AND rel.hostlocation = 'L'      AND h.netid = $2     AND h.netmask = $3 LIMIT  1;' status: 2 rows: 0
2023-01-26 16:01:13Z 31[APP]
2023-01-26 16:01:13Z 31[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) connection 'STATION010' using  interface 'ipsec0'
2023-01-26 16:01:13Z 31[APP] [COP-UPDOWN][NET] (get_src_ip) source address for 192.168.200.0 is IP: 192.168.110.30
2023-01-26 16:01:13Z 31[APP]
2023-01-26 16:01:13Z 31[APP] [COP-UPDOWN][SHELL] (run_shell) 'ip route del 192.168.201.74/32 dev ipsec0 src 192.168.110.30 table 220': success 0
2023-01-26 16:01:13Z 31[APP] [COP-UPDOWN] (add_routes) no routes to del for STATION010 on interface ipsec0
2023-01-26 16:01:13Z 31[APP] [COP-UPDOWN][SHELL] (run_shell) '/bin/service fwm:vpn_connection_chains -t json -s nosync -b '{"me":"111.222.333.444","peer":"109.40.222.222","mynet":"192.168.200.0/24","peernet":"192.168.201.74/32","connop":"0","iface":"unknown","myproto":"0","myport":"0","peerproto":"0","peerport":"0","conntype":"ntn","actnet":"","compress":"0","conn_id":"12"}'': success 0
2023-01-26 16:01:13Z 31[APP] [COP-UPDOWN][SHELL] (run_shell) 'conntrack -D --not-protonum=6 --inzone-outzone=2': success 0
2023-01-26 16:01:13Z 31[APP] [COP-UPDOWN][SHELL] (run_shell) 'conntrack -D --not-protonum=6 --inzone-outzone=5': error returned 1

some Ideas or hints?

Thanks,

This thread was automatically locked due to age.

dirkkotte · Accepted Answer

Hello, everyone, Thanks for your hints. I've checked everything. The DH14/DH16 mismatch wasn't the problem. After adjustment, the message disappeared, but the problem remained. (I checked the target configuration of the remote station again ... it said DH14-2048) The solution was simple... the receiving station still has a mechanism that restarts the tunnel if there is no traffic (DPD doesn't change anything about it). After configuring the next firewall-hop correctly (not Sophos) we have traffic and the tunnel stays up. PS: i have tried DH14/DH16 again ... the tunnels works every time.

Vivek Jagad · Answer

Hello dirkkotte , Thank you for reaching out to the community, I would request you to verify the IPsec Polices on both the sides, looks like a mis-match. " DH group MODP_4096 inacceptable, requesting MODP_2048 "

IP SEC site-to-site terminates and establishes every 2,5 minutes

Top Replies