Helo!
My company creates a VPN through our VPN 3005 Concentrator and a remote Cisco PIX 501. The remote PIX is configured as a remote client in network extension mode and is accessing the concentrator through ESP-3DES-MD5 IPSec SA and using MD5/HMAC-128 authentication, 3DES encryption and Group 2 DH for IKE.
The authentication mode is Preshared Keys through XAUTH.
Altough i set the IKE proposal to 86400sec on the concentrator and 86400sec IPSec lifetime the PIX gets disconnected after 7h30m-8h. No lifetimesettings has been set on the PIX. The concentror should decide the timeouts.
Anyone got any idea what can be wrong?
I get the following errors on the concentrator during IKE Rekeying Phase 2 (Public IP´s on the PIX replaced by X, VPN 3000 replaced by Y):
113 11/18/2003 06:43:36.070 SEV=4 IKE/41 RPT=2366
IKE Initiator: Rekeying Phase 2, Intf 2, IKE Peer XXX.XXX.XXX.XXX
local Proxy Address 10.131.48.0, remote Proxy Address 10.131.52.192,
SA (ESP-3DES-MD5)
116 11/18/2003 06:43:40.770 SEV=4 IKE/41 RPT=2367
IKE Initiator: Rekeying Phase 2, Intf 2, IKE Peer XXX.XXX.XXX.XXX
local Proxy Address 10.131.48.0, remote Proxy Address XXX.XXX.XXX.XXX,
SA (ESP-3DES-MD5)
119 11/18/2003 06:43:40.830 SEV=4 IKE/41 RPT=2368
IKE Initiator: Rekeying Phase 2, Intf 2, IKE Peer XXX.XXX.XXX.XXX
local Proxy Address YYY.YYY.YYY.YYY, remote Proxy Address XXX.XXX.XXX.XXX,
SA (ESP-3DES-MD5)
122 11/18/2003 06:44:08.080 SEV=4 IKEDBG/0 RPT=775
QM FSM error (P2 struct &0x1df70f4, mess id 0xf6648e59)!
123 11/18/2003 06:44:12.780 SEV=4 IKEDBG/0 RPT=776
QM FSM error (P2 struct &0x1cf22bc, mess id 0xdfdef293)!
124 11/18/2003 06:44:12.840 SEV=4 IKEDBG/0 RPT=777
QM FSM error (P2 struct &0x1ea3838, mess id 0xacf3fe5a)!
125 11/18/2003 06:44:12.850 SEV=4 AUTH/28 RPT=555 XXX.XXX.XXX.XXX
User [se-sto1-pix002] Group [se-sto1-pix] disconnected:
Session Type: IPSec
Duration: 7:36:36
Bytes xmt: 4630008
Bytes rcv: 4601480
Reason: Unknown
Have anyone seen this errors before?
/Thomas
My company creates a VPN through our VPN 3005 Concentrator and a remote Cisco PIX 501. The remote PIX is configured as a remote client in network extension mode and is accessing the concentrator through ESP-3DES-MD5 IPSec SA and using MD5/HMAC-128 authentication, 3DES encryption and Group 2 DH for IKE.
The authentication mode is Preshared Keys through XAUTH.
Altough i set the IKE proposal to 86400sec on the concentrator and 86400sec IPSec lifetime the PIX gets disconnected after 7h30m-8h. No lifetimesettings has been set on the PIX. The concentror should decide the timeouts.
Anyone got any idea what can be wrong?
I get the following errors on the concentrator during IKE Rekeying Phase 2 (Public IP´s on the PIX replaced by X, VPN 3000 replaced by Y):
113 11/18/2003 06:43:36.070 SEV=4 IKE/41 RPT=2366
IKE Initiator: Rekeying Phase 2, Intf 2, IKE Peer XXX.XXX.XXX.XXX
local Proxy Address 10.131.48.0, remote Proxy Address 10.131.52.192,
SA (ESP-3DES-MD5)
116 11/18/2003 06:43:40.770 SEV=4 IKE/41 RPT=2367
IKE Initiator: Rekeying Phase 2, Intf 2, IKE Peer XXX.XXX.XXX.XXX
local Proxy Address 10.131.48.0, remote Proxy Address XXX.XXX.XXX.XXX,
SA (ESP-3DES-MD5)
119 11/18/2003 06:43:40.830 SEV=4 IKE/41 RPT=2368
IKE Initiator: Rekeying Phase 2, Intf 2, IKE Peer XXX.XXX.XXX.XXX
local Proxy Address YYY.YYY.YYY.YYY, remote Proxy Address XXX.XXX.XXX.XXX,
SA (ESP-3DES-MD5)
122 11/18/2003 06:44:08.080 SEV=4 IKEDBG/0 RPT=775
QM FSM error (P2 struct &0x1df70f4, mess id 0xf6648e59)!
123 11/18/2003 06:44:12.780 SEV=4 IKEDBG/0 RPT=776
QM FSM error (P2 struct &0x1cf22bc, mess id 0xdfdef293)!
124 11/18/2003 06:44:12.840 SEV=4 IKEDBG/0 RPT=777
QM FSM error (P2 struct &0x1ea3838, mess id 0xacf3fe5a)!
125 11/18/2003 06:44:12.850 SEV=4 AUTH/28 RPT=555 XXX.XXX.XXX.XXX
User [se-sto1-pix002] Group [se-sto1-pix] disconnected:
Session Type: IPSec
Duration: 7:36:36
Bytes xmt: 4630008
Bytes rcv: 4601480
Reason: Unknown
Have anyone seen this errors before?
/Thomas