IPSEC VPN phase 1 renegotiation

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IPSEC VPN phase 1 renegotiation

L0 Member

Hello

I am facing packet drops whenever the phase 1 re-negotiates. The SA gets expired and deleted but it takes 20 minutes for it to start the P1 phase again. In that period the traffic times out until the P1 starts again after 20 minutes. Below are the logs. I have replaced  our gateway address with xx.xx.xx.xx

2013-11-05 10:24:02 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: xx.xx.xx.xx[500]-211.13.205.150[500] cookie:cf98f03c954db3ed:53951433f27d287ci <====

2013-11-05 10:24:02 [INFO]: ====> PHASE-1 SA DELETED <====

====> Deleted SA: xx.xx.xx.xx[500]-211.13.205.150[500] cookie:cf98f03c954db3ed:53951433f27d287ci <====

2013-11-05 10:43:59 [INFO]: IPsec-SA request for 211.13.205.150 queued since no phase1 found

2013-11-05 10:43:59 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <====

====> Initiated SA: xx.xx.xx.xx[500]-211.13.205.150[500] cookie:a6f4545850bdaa6c:0000000000000000 <====

2013-11-05 10:44:00 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS INITIATOR, MAIN MODE <====

====> Established SA: xx.xx.xx.xx[500]-211.13.205.150[500] cookie:a6f4545850bdaa6c:c8f5e6db76ec5d46 lifetime 6400 Sec <====

2013-11-05 10:44:00 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====

====> Initiated SA: xx.xx.xx.xx[500]-211.13.205.150[500] message id:0xB0FD55D5 <====

2013-11-05 10:44:00 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION SUCCEEDED AS INITIATOR, (QUICK MODE) <====

====> Established SA: xx.xx.xx.xx[500]-211.13.205.150[500] message id:0xB0FD55D5, SPI:0x9AD00707/0x0F93DFE1 <====

2013-11-05 10:44:00 [INFO]: SADB_UPDATE ul_proto=255 src=211.13.205.150[500] dst=xx.xx.xx.xx[500] satype=ESP samode=tunl spi=0x9AD00707 authtype=MD5 enctype=NULL_ENC lifetime soft time=6400 bytes=0 hard time=6400 bytes=0

2013-11-05 10:44:00 [INFO]: SADB_ADD ul_proto=255 src=xx.xx.xx.xx[500] dst=211.13.205.150[500] satype=ESP samode=tunl spi=0x0F93DFE1 authtype=MD5 enctype=NULL_ENC lifetime soft time=6400 bytes=0 hard time=6400 bytes=0

2013-11-05 10:44:00 [INFO]: IPsec-SA established: ESP/Tunnel 211.13.205.150[500]->xx.xx.xx.xx[500] spi=2597324551(0x9ad00707)

2013-11-05 10:44:00 [PROTO_NOTIFY]: ====> IPSEC KEY INSTALLATION SUCCEEDED <====

====> Installed SA: xx.xx.xx.xx[500]-211.13.205.150[500] SPI:0x9AD00707/0x0F93DFE1 lifetime 6400 Sec lifesize unlimited <====

Thanks

Shyam

2 REPLIES 2

L7 Applicator

Hello Shyam,

As per the log messages


10:24:02 -------- we received the phase-I delete message --------- > [INFO]: ====> PHASE-1 SA DELETED <====

10:43:59 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <====

After 20 minutes we got the Phase-I negotiation messages and PAN were acting as an initiator. 


Could you please set the PAN device as a responder ( passive mode) and let me know if that makes any difference.


FYI..


IPSec-passive.jpg


Thanks

Hello Hulk

Thanks for the response.

I enabled passive setting and was getting packet drops. It was working before I enabled the passive setting. I removed the setting and the pings are working now again. But I am sure the packet with drop once the renegotiation starts

Thanks

Shyam

  • 2529 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!