IPsec site - site Phase 1 channel drops
-
Hello all,
I have setup a IPsec site-site channel between two of my offices.I have a problem where when checking the status of the channel the phase 1 channel drops out every few minutes. When the channel is up the child SA passes traffic fine. I have had the channel stay up for 7 hours once but for the most part it is unstable.
The other office has a ASA5505. As best as I can tell the settings are matched at both ends.
Checking the system logs for IPsec gives the following:
Nov 4 08:54:38 charon 08[IKE] <con1|19>CHILD_SA con1{36} established with SPIs xxxxxxxx and TS ipxxxxx|/0
Nov 4 08:54:38 charon 08[IKE] <con1|19>establishing CHILD_SA con1
Nov 4 08:54:38 charon 08[ENC] <con1|19>generating CREATE_CHILD_SA request 2 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Nov 4 08:54:38 charon 08[NET] <con1|19>sending packet: from xxxx[500] to xxxx[500] (204 bytes)
Nov 4 08:54:42 charon 15[IKE] <con1|19>retransmit 1 of request with message ID 2
Nov 4 08:54:42 charon 15[NET] <con1|19>sending packet: from xxxx[500] to xxxx[500] (204 bytes)
Nov 4 08:54:49 charon 07[IKE] <con1|19>retransmit 2 of request with message ID 2
Nov 4 08:54:49 charon 07[NET] <con1|19>sending packet: from xxxx[500] to xxxx[500] (204 bytes)
Nov 4 08:55:02 charon 07[IKE] <con1|19>retransmit 3 of request with message ID 2
Nov 4 08:55:02 charon 07[NET] <con1|19>sending packet: from xxxx[500] to xxxx[500] (204 bytes)
Nov 4 08:55:25 charon 11[IKE] <con1|19>retransmit 4 of request with message ID 2
Nov 4 08:55:25 charon 11[NET] <con1|19>sending packet: from xxxx[500] to xxxx[500] (204 bytes)
Nov 4 08:56:08 charon 06[IKE] <con1|19>retransmit 5 of request with message ID 2
Nov 4 08:56:08 charon 06[NET] <con1|19>sending packet: from xxxx[500] to xxxx[500] (204 bytes)
Nov 4 08:57:23 charon 08[IKE] <con1|19>giving up after 5 retransmits
Nov 4 08:57:23 charon 08[IKE] <con1|19>restarting CHILD_SA con1
Nov 4 08:57:23 charon 08[IKE] <con1|19>initiating IKE_SA con1[20] to xxxx
Nov 4 08:57:23 charon 08[ENC] <con1|19>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 4 08:57:23 charon 08[NET] <con1|19>sending packet: from xxxx[500] to xxxx[500] (400 bytes)
Nov 4 08:57:23 charon 08[KNL] <con1|19>unable to delete SAD entry with SPI xxxx: No such file or directory (2)
Nov 4 08:57:23 charon 08[KNL] creating acquire job for policy xxxx/32|/0 === xxxx/32|/0 with reqid {1}
Nov 4 08:57:23 charon 14[NET] <con1|20>received packet: from xxxx[500] to xxxx[500] (521 bytes)
Nov 4 08:57:23 charon 14[ENC] <con1|20>parsed IKE_SA_INIT response 0 [ SA KE No V V V N(NATD_S_IP) N(NATD_D_IP) V ]
Nov 4 08:57:23 charon 14[IKE] <con1|20>received Cisco Delete Reason vendor ID
Nov 4 08:57:23 charon 14[IKE] <con1|20>received Cisco Copyright 2009 vendor ID
Nov 4 08:57:23 charon 14[ENC] <con1|20>received unknown vendor ID: xxxx
Nov 4 08:57:23 charon 14[IKE] <con1|20>received FRAGMENTATION vendor ID
Nov 4 08:57:23 charon 14[IKE] <con1|20>authentication of 'xxxx' (myself) with pre-shared key
Nov 4 08:57:23 charon 14[IKE] <con1|20>establishing CHILD_SA con1{1}
Nov 4 08:57:23 charon 14[ENC] <con1|20>generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(EAP_ONLY) ]
Nov 4 08:57:23 charon 14[NET] <con1|20>sending packet: from xxxx[500] to xxxx[500] (236 bytes)
Nov 4 08:57:23 charon 14[NET] <con1|20>received packet: from xxxx[500] to xxxx[500] (236 bytes)
Nov 4 08:57:23 charon 14[ENC] <con1|20>parsed IKE_AUTH response 1 [ V IDr AUTH SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
Nov 4 08:57:23 charon 14[IKE] <con1|20>authentication of '180.200.128.201' with pre-shared key successful
Nov 4 08:57:23 charon 14[IKE] <con1|20>IKE_SA con1[20] established between xxxx…xxxx
Nov 4 08:57:23 charon 14[IKE] <con1|20>scheduling reauthentication in 28170s
Nov 4 08:57:23 charon 14[IKE] <con1|20>maximum IKE_SA lifetime 28710s
Nov 4 08:57:23 charon 14[IKE] <con1|20>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov 4 08:57:23 charon 14[IKE] <con1|20>CHILD_SA con1{38} established with SPIs xxxx and TS xxxx === xxxx
Nov 4 08:57:23 charon 14[IKE] <con1|20>establishing CHILD_SA con1
Nov 4 08:57:23 charon 14[ENC] <con1|20>generating CREATE_CHILD_SA request 2 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]Any ideas on how I can keep this channel alive? Or where I could look for more information?
Thank you.</con1|20></con1|20></con1|20></con1|20></con1|20></con1|20></con1|20></con1|20></con1|20></con1|20></con1|20></con1|20></con1|20></con1|20></con1|20></con1|20></con1|20></con1|20></con1|20></con1|20></con1|19></con1|19></con1|19></con1|19></con1|19></con1|19></con1|19></con1|19></con1|19></con1|19></con1|19></con1|19></con1|19></con1|19></con1|19></con1|19></con1|19></con1|19></con1|19></con1|19>