Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 12643 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN drops if no "Delete SA payload" is received

eneo.kola
I have an issue with a VPN between my ASG120 Astaro and a Cisco router.

IKE encryption algorithm        : AES 256
IKE authentication algorithm   :      SHA1
IKE SA lifetime:                    :      86400
IKE DH group:                      :      Group 5

IPsec encryption algorithm     :     AES 256
IPsec authentication algorithm:     SHA1
IPsec SA lifetime                  :     3600
IPsec PFS group                   :     None       


The VPN runes mostly OK during an undetermined period of time, than it suddenly hangs.
When it runs normally I get a "Delete SA payload" every 30'.
When It doesn't receive this message from the other side of the VPN, the connection hangs.

Line 14561: 2014:09:18-07:24:17 YYYYY pluto[16041]: "***" #2608: received Delete SA payload: replace IPSEC State #2609 in 10 seconds
Line 14562: 2014:09:18-07:24:17 YYYYY pluto[16041]: "***" #2608: received Delete SA payload: deleting ISAKMP State #2608
Line 14568: 2014:09:18-07:24:27 YYYYY pluto[16041]: "***" #2664: initiating Main Mode
Line 14569: 2014:09:18-07:24:27 YYYYY pluto[16041]: "***" #2664: ignoring Vendor ID payload [FRAGMENTATION c0000000]
Line 14570: 2014:09:18-07:24:27 YYYYY pluto[16041]: "***" #2664: ignoring Vendor ID payload [Cisco-Unity]
Line 14571: 2014:09:18-07:24:27 YYYYY pluto[16041]: "***" #2664: received Vendor ID payload [XAUTH]
Line 14572: 2014:09:18-07:24:27 YYYYY pluto[16041]: "***" #2664: ignoring Vendor ID payload [***************************x]
Line 14573: 2014:09:18-07:24:27 YYYYY pluto[16041]: "***" #2664: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Line 14574: 2014:09:18-07:24:27 YYYYY pluto[16041]: "***" #2664: received Vendor ID payload [Dead Peer Detection]
Line 14575: 2014:09:18-07:24:27 YYYYY pluto[16041]: "***" #2664: Peer ID is ID_IPV4_ADDR: '***.***.***.***'
Line 14576: 2014:09:18-07:24:27 YYYYY pluto[16041]: "***" #2664: ISAKMP SA established
Line 14577: 2014:09:18-07:24:27 YYYYY pluto[16041]: "***" #2665: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#2664}
Line 14578: 2014:09:18-07:24:27 YYYYY pluto[16041]: "***" #2665: sent QI2, IPsec SA established {ESP=>************ *********xx 


This thread was automatically locked due to age.
  • 0
    Hi, and welcome to the User BB!

    Can you get a picture of the Phase 1 and Phase 2 settings on the Cisco?  Also, please confirm that both sides agree on DPD and NAT-T settings.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hello BAlfson,

    I can only give you the form from the other part of the tunnel (I am waiting their response so I can check once again the params)

    platform:            Cisco PIX-515E, OS: 7.2(1)
    IPSec mode:  Lan2Lan / Tunnel

    IKE/ISAKMP parameters:
    Key management:  Pre-shared Key (PSK)
    DH group:                 5
    Encryption alg.:         AES256
    Key Lifetime:         86400 sec
    Aggressive mode:         No

    IPSec parameters:
    Key Exchange:         IKE/ISAKMP
    PFS:                         No
    Encyrption proto.: ESP
    Data Integrity:         HMAC-SHA
    Encryption alg.:         AES256
    SA lifetime:                 3600 sec

    My side has NAT-T disabled on their request, also DPD is disabled
Unfiltered HTML