Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
11-04-2013 07:12 PM
Hello
I am facing packet drops whenever the phase 1 re-negotiates. The SA gets expired and deleted but it takes 20 minutes for it to start the P1 phase again. In that period the traffic times out until the P1 starts again after 20 minutes. Below are the logs. I have replaced our gateway address with xx.xx.xx.xx
2013-11-05 10:24:02 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: xx.xx.xx.xx[500]-211.13.205.150[500] cookie:cf98f03c954db3ed:53951433f27d287ci <====
2013-11-05 10:24:02 [INFO]: ====> PHASE-1 SA DELETED <====
====> Deleted SA: xx.xx.xx.xx[500]-211.13.205.150[500] cookie:cf98f03c954db3ed:53951433f27d287ci <====
2013-11-05 10:43:59 [INFO]: IPsec-SA request for 211.13.205.150 queued since no phase1 found
2013-11-05 10:43:59 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <====
====> Initiated SA: xx.xx.xx.xx[500]-211.13.205.150[500] cookie:a6f4545850bdaa6c:0000000000000000 <====
2013-11-05 10:44:00 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS INITIATOR, MAIN MODE <====
====> Established SA: xx.xx.xx.xx[500]-211.13.205.150[500] cookie:a6f4545850bdaa6c:c8f5e6db76ec5d46 lifetime 6400 Sec <====
2013-11-05 10:44:00 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
====> Initiated SA: xx.xx.xx.xx[500]-211.13.205.150[500] message id:0xB0FD55D5 <====
2013-11-05 10:44:00 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION SUCCEEDED AS INITIATOR, (QUICK MODE) <====
====> Established SA: xx.xx.xx.xx[500]-211.13.205.150[500] message id:0xB0FD55D5, SPI:0x9AD00707/0x0F93DFE1 <====
2013-11-05 10:44:00 [INFO]: SADB_UPDATE ul_proto=255 src=211.13.205.150[500] dst=xx.xx.xx.xx[500] satype=ESP samode=tunl spi=0x9AD00707 authtype=MD5 enctype=NULL_ENC lifetime soft time=6400 bytes=0 hard time=6400 bytes=0
2013-11-05 10:44:00 [INFO]: SADB_ADD ul_proto=255 src=xx.xx.xx.xx[500] dst=211.13.205.150[500] satype=ESP samode=tunl spi=0x0F93DFE1 authtype=MD5 enctype=NULL_ENC lifetime soft time=6400 bytes=0 hard time=6400 bytes=0
2013-11-05 10:44:00 [INFO]: IPsec-SA established: ESP/Tunnel 211.13.205.150[500]->xx.xx.xx.xx[500] spi=2597324551(0x9ad00707)
2013-11-05 10:44:00 [PROTO_NOTIFY]: ====> IPSEC KEY INSTALLATION SUCCEEDED <====
====> Installed SA: xx.xx.xx.xx[500]-211.13.205.150[500] SPI:0x9AD00707/0x0F93DFE1 lifetime 6400 Sec lifesize unlimited <====
Thanks
Shyam
11-05-2013 06:51 PM
Hello Shyam,
As per the log messages
10:24:02 -------- we received the phase-I delete message --------- > [INFO]: ====> PHASE-1 SA DELETED <====
10:43:59 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <====
After 20 minutes we got the Phase-I negotiation messages and PAN were acting as an initiator.
Could you please set the PAN device as a responder ( passive mode) and let me know if that makes any difference.
FYI..
Thanks
11-05-2013 08:03 PM
Hello Hulk
Thanks for the response.
I enabled passive setting and was getting packet drops. It was working before I enabled the passive setting. I removed the setting and the pings are working now again. But I am sure the packet with drop once the renegotiation starts
Thanks
Shyam
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
