mirage2101
Posts: 2
Joined: 20.Dec.2007
Status: offline
|
I'm having troubles setting up a site to site VPN with a Cisco ASA5510 VPN server.
Phase 1 is always succesfull no problems there.
Then phase 2 seems to pass too, because we can send and recieve data for a while.
after 30s-7 minutes, the tunnel disconnects, regardless of data being sent at the moment and then phase 2 never builds again unless we reset the connection on both sides.
This part of the oakley log contains the own error message i see, i have a lot more ofcourse leading up to this but i don't see anything strange in that and this'll keep it readable.
12-20: 10:51:13:115:fd8 tunnel mode is Tunnel Mode(1)
12-20: 10:51:13:115:fd8 HMAC algorithm is MD5(1)
12-20: 10:51:13:115:fd8 Finding Responder Policy for SRC=x.x.x.x.0000 DST=x.x.x.x.0000, SRCMask=255.255.0.0, DSTMask=255.255.255.0, Prot=0 InTunnelEndpt aa56a6d9 OutTunnelEndpt 9748293e
12-20: 10:51:13:115:fd8 QM PolicyName: ISA Server XXXXX QM Policy dwFlags 0
12-20: 10:51:13:115:fd8 QMOffer[0] LifetimeKBytes 0 LifetimeSec 28800
12-20: 10:51:13:115:fd8 QMOffer[0] dwFlags 0 dwPFSGroup 0
12-20: 10:51:13:115:fd8 Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: SHA
12-20: 10:51:13:115:fd8 Policy too general
12-20: 10:51:13:115:fd8 Phase 2 SA accepted: proposal=3 transform=1
12-20: 10:51:13:115:fd8 Adding default policy for SRC=000011ac.0000 DST=0040ef0a.0000, SRCMask=0000ffff, DSTMask=00ffffff, Prot=0, TunnelFilter 1, TunnelAddr aa56a6d9
12-20: 10:51:13:115:fd8 Failed to add dynamic transport filter 13016
12-20: 10:51:13:115:fd8 PAAddFilter failed with 13016
12-20: 10:51:13:115:fd8 Data Protection Mode (Quick Mode)
12-20: 10:51:13:115:fd8 Source IP Address x.x.x.x Source IP Address Mask 255.255.0.0 Destination IP Address x.x.x.x Destination IP Address Mask 255.255.255.0 Protocol 0 Source Port 0 Destination Port 0 IKE Local Addr x.x.x.x IKE Peer Addr x.x.x.x IKE Source Port 500 IKE Destination Port 500 Peer Private Addr
12-20: 10:51:13:115:fd8 Preshared key ID. Peer IP Address: x.x.x.x
12-20: 10:51:13:115:fd8 Me
12-20: 10:51:13:115:fd8 The application attempted to activate a disabled activation context.
12-20: 10:51:13:115:fd8 Processed third (ID) payload Responder. Delta Time 2 0x0 0x0
12-20: 10:51:13:115:fd8 isadb_set_status sa:01978270 centry:000E3708 status 32d8
12-20: 10:51:13:115:fd8 ProcessFailure: sa:01978270 centry:000E3708 status:32d8
12-20: 10:51:13:115:fd8 Not creating notify.
12-20: 10:51:18:37:5f8 retransmit: sa = 01922E00 centry 00000000 , count = 5
On the Cisco side we got this error message earlier:
3|Dec 17 2007 17:22:04|713119: Group = x.x.x.x, IP = 217.166.86.170, PHASE 1 COMPLETED
3|Dec 17 2007 17:22:36|713902: Group = x.x.x.x, IP = 217.166.86.170, QM FSM error (P2 struct &0x4f03958, mess id 0xa656e1c3)!
3|Dec 17 2007 17:22:36|713902: Group = x.x.x.x, IP = 217.166.86.170, Removing peer from correlator table failed, no match!
4|Dec 17 2007 17:22:36|113019: Group = x.x.x.x, Username = 217.166.86.170, IP = 217.166.86.170, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:32s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Error
Anybody got suggestions?
That it even works for a little while seems to indicate ip ranges and subnet masks are setup correctly. But i can't figure out why it won't keep working.
|
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
Site to Site VPN phase2 problem - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread