Search This Blog

Wednesday, June 06, 2007

firewall-wizards Digest, Vol 14, Issue 4

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Cisco VPN reconnection every 23 minutes (Prabhu Gurumurthy)


----------------------------------------------------------------------

Message: 1
Date: Mon, 04 Jun 2007 10:34:47 -0700
From: Prabhu Gurumurthy <pgurumu@gmail.com>
Subject: Re: [fw-wiz] Cisco VPN reconnection every 23 minutes
To: ditribar <ditribar@gmx.de>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <46644D37.8080804@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Okay - I was under the impression that it was a Cisco VPN client connection to
the VPN concentrator, which is my bad, apologies.

tunnel-group REMOTE_PEER_IP type ipsec-l2l
tunnel-group REMOTE_PEER_IP general-attributes
default-group-policy vpn-unlimited
tunnel-group REMOTE_PEER_IP ipsec-attributes
pre-shared-key *

I was told by Cisco when using 7.0 version that to refrain using names for
tunnel-group and use IP address instead. I vaguely remember seeing problems like
you mentioned, but YMMV. Can you change those to IP addresses instead of names
and let me know how it goes?

I dont know what version you are using, I am using 7.2 and use IP address for
tunnel group properties and it works fine for me.

Are you using l2tp? I want to confirm that because your VPN global policy seems
to say that

Out of curiosity, can you just use plain old IPSec Lan to Lan tunnel instead of
l2tp!

Prabhu
-

ditribar wrote:
>> On IPSec negotiation, the rekey is based on lifetime or bytes. when
>> negotiation
>> takes place, the lowest value is always used. So it does not matter if one
>> is
>> higher than the other, the negotiation does not have to agree on the
>> lifetime/byte values.
>
> Correct , i just adjusted the lifetime value on PEER1 to the value on PEER2.
>
> What i still dont understand is there are two different reasons for a disconnection:
>
> 1) Peer Terminate
> 2) User Requested
>
> Which peer and what user is this?
>
> The only thing i found is that User Requested is sometimes a reason for a connection lost.
> Or does it means PPER2 initiated the disconnect?
>
>
>> Are you running IPSec VPN with udp encapsulation?
>
> ipsec-udp disable (see config below)
>
>
> No i dont (UDP diabled). It uses TCP.
>
>
>> I have seen problems with them, because some SOHO firewalls like netgear
>> etc,
>> treat them as UDP connections and closes the state after a predetermined
>> amount
>> of time.
>>
>> The way that you can see is if you run tcpdump/ethereal you will see heck
>> a lot
>> of UDP packets going between the client and the VPN concentrator.
>>
>> If that is the case, two ways to fix it:
>>
>> 1. Disable SPI on the SOHO router/firewall (very bad, not recommended)
>> 2. Disable UDP encapsulation and enable ESP to flow, i.e you will see
>> protocol
>> 50 for the IP header, instead of protocol 17, all newer routers/firewalls
>> allow
>> them through.
>
> What i see is that the client on PEER1 is trying to send a TCP Retransmission packet after the tunnel got disconnected.
>
>> Can you forward crypto config from the Cisco VPN concentrator?
>>
>
>
> ===== Crypto map =====
>
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
>
> crypto map outside_map 61 match address outside_61_cryptomap
> crypto map outside_map 61 set pfs
> crypto map outside_map 61 set peer REMOTE_PEER_IP
> crypto map outside_map 61 set transform-set ESP-3DES-MD5
> crypto map outside_map 61 set security-association lifetime seconds 3600
>
> crypto map outside_map interface outside
> crypto isakmp enable outside
>
> crypto isakmp policy 10
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
> crypto isakmp policy 30
> authentication pre-share
> encryption aes-256
> hash sha
> group 2
> lifetime 86400
> crypto isakmp policy 50
> authentication pre-share
> encryption 3des
> hash md5
> group 2
> lifetime 86400
> tunnel-group REMOTE_PEER_IP type ipsec-l2l
> tunnel-group REMOTE_PEER_IP general-attributes
> default-group-policy vpn-unlimited
> tunnel-group REMOTE_PEER_IP ipsec-attributes
> pre-shared-key *
>
>
> ====== Group Policy =====
>
> group-policy vpn-unlimited attributes
> vpn-access-hours none
> vpn-simultaneous-logins 3
> vpn-idle-timeout none
> vpn-session-timeout none
> vpn-filter none
> vpn-tunnel-protocol IPSec l2tp-ipsec
> password-storage disable
> ip-comp disable
> re-xauth disable
> group-lock value REMOTE_PEER_IP
> pfs disable
> ipsec-udp disable
> intercept-dhcp 255.255.255.255 disable
> secure-unit-authentication disable
> user-authentication disable
> user-authentication-idle-timeout none
> ip-phone-bypass disable
> leap-bypass disable
> nem disable
> backup-servers keep-client-config
> msie-proxy server none
> msie-proxy method no-modify
> msie-proxy except-list none
> msie-proxy local-bypass disable
> nac disable
> nac-sq-period 300
> nac-reval-period 36000
> nac-default-acl none
> client-firewall none
> client-access-rule none
> webvpn
> functions none
> html-content-filter none
> homepage none
> keep-alive-ignore 4
> http-comp gzip
> filter none
> url-list none
> customization none
> port-forward none
> port-forward-name value Application Access
> sso-server none
> deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.
> svc none
> svc keep-installer installed
> svc keepalive none
> svc rekey time none
> svc rekey method none
> svc dpd-interval client 60
> svc dpd-interval gateway 60
> svc compression deflate
> vpn-nac-exempt none
>
>
> show crypto ipsec sa
> interface: outside
> Crypto map tag: outside_map, seq num: 61, local addr: LOCAL_PEER1_IP
>
> access-list outside_61_cryptomap permit ip LOCAL_LAN_NET_IP LOCAL_LAN_NET_MASK host REMOTE_LAN_IP
> local ident (addr/mask/prot/port): (LOCAL_LAN_NET_IP/LOCAL_LAN_NET_MASK/0/0)
> remote ident (addr/mask/prot/port): (REMOTE_LAN_IP/255.255.255.255/0/0)
> current_peer: REMOTE_PEER_IP
>
> #pkts encaps: 20, #pkts encrypt: 20, #pkts digest: 20
> #pkts decaps: 19, #pkts decrypt: 19, #pkts verify: 19
> #pkts compressed: 0, #pkts decompressed: 0
> #pkts not compressed: 20, #pkts comp failed: 0, #pkts decomp failed: 0
> #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
> #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
> #send errors: 0, #recv errors: 0
>
> local crypto endpt.: LOCAL_PEER1_IP, remote crypto endpt.: REMOTE_PEER_IP
>
> path mtu 1500, ipsec overhead 58, media mtu 1500
> current outbound spi: A2E47E62
>
> inbound esp sas:
> spi: 0x8A930C7F (2324892799)
> transform: esp-3des esp-md5-hmac none
> in use settings ={L2L, Tunnel, PFS Group 2, }
> slot: 0, conn_id: 4433, crypto-map: outside_map
> sa timing: remaining key lifetime (kB/sec): (3824999/3341)
> IV size: 8 bytes
> replay detection support: Y
> outbound esp sas:
> spi: 0xA2E47E62 (2732883554)
> transform: esp-3des esp-md5-hmac none
> in use settings ={L2L, Tunnel, PFS Group 2, }
> slot: 0, conn_id: 4433, crypto-map: outside_map
> sa timing: remaining key lifetime (kB/sec): (3824998/3341)
> IV size: 8 bytes
> replay detection support: Y
>
>
> On all INTERFACEs it is
>
> fragmentation INTERFACE before-encryption
>
>
> show crypto isakmp sa
>
> Active SA: 1
> Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
> Total IKE SA: 1
>
> 1 IKE Peer: REMOTE_PEER_IP
> Type : L2L Role : initiator
> Rekey : no State : MM_ACTIVE
>
>
> show crypto isakmp ipsec-over-tcp stats
>
> Global IPSec over TCP Statistics
> --------------------------------
> Embryonic connections: 0
> Active connections: 0
> Previous connections: 0
> Inbound packets: 0
> Inbound dropped packets: 0
> Outbound packets: 0
> Outbound dropped packets: 0
> RST packets: 0
> Recevied ACK heart-beat packets: 0
> Bad headers: 0
> Bad trailers: 0
> Timer failures: 0
> Checksum errors: 0
> Internal errors: 0
>
> show crypto protocol statistics all
> [IKEv1 statistics]
> Encrypt packet requests: 120048
> Encapsulate packet requests: 120048
> Decrypt packet requests: 117999
> Decapsulate packet requests: 117999
> HMAC calculation requests: 146409
> SA creation requests: 1686
> SA rekey requests: 22
> SA deletion requests: 4891
> Next phase key allocation requests: 6092
> Random number generation requests: 0
> Failed requests: 0
> [IKEv2 statistics]
> Encrypt packet requests: 0
> Encapsulate packet requests: 0
> Decrypt packet requests: 0
> Decapsulate packet requests: 0
> HMAC calculation requests: 0
> SA creation requests: 0
> SA rekey requests: 0
> SA deletion requests: 0
> Next phase key allocation requests: 0
> Random number generation requests: 0
> Failed requests: 0
> [IPsec statistics]
> Encrypt packet requests: 127490
> Encapsulate packet requests: 127490
> Decrypt packet requests: 119951
> Decapsulate packet requests: 119951
> HMAC calculation requests: 247441
> SA creation requests: 6062
> SA rekey requests: 30
> SA deletion requests: 6482
> Next phase key allocation requests: 0
> Random number generation requests: 0
> Failed requests: 0
> [SSL statistics]
> Encrypt packet requests: 398182
> Encapsulate packet requests: 398182
> Decrypt packet requests: 4875
> Decapsulate packet requests: 4875
> HMAC calculation requests: 403057
> SA creation requests: 3967
> SA rekey requests: 0
> SA deletion requests: 3967
> Next phase key allocation requests: 0
> Random number generation requests: 0
> Failed requests: 0
> [SSH statistics are not supported]
> [SRTP statistics are not supported]
> [Other statistics]
> Encrypt packet requests: 0
> Encapsulate packet requests: 0
> Decrypt packet requests: 0
> Decapsulate packet requests: 0
> HMAC calculation requests: 16362
> SA creation requests: 0
> SA rekey requests: 0
> SA deletion requests: 0
> Next phase key allocation requests: 0
> Random number generation requests: 30568
> Failed requests: 0
>
>
> show crypto accelerator statistics
>
> Crypto Accelerator Status
> -------------------------
> [Capability]
> Supports hardware crypto: True
> Supports modular hardware crypto: False
> Max accelerators: 1
> Max crypto throughput: 50 Mbps
> Max crypto connections: 250
> [Global Statistics]
> Number of active accelerators: 1
> Number of non-operational accelerators: 0
> Input packets: 124682
> Input bytes: 18397412
> Output packets: 525537
> Output error packets: 0
> Output bytes: 143599804
>
> [Accelerator 0]
> Status: OK
> Software crypto engine
> Slot: 0
> Active time: 14256241 seconds
> Total crypto transforms: 55911
> Total dropped packets: 0
> [Input statistics]
> Input packets: 0
> Input bytes: 83248
> Input hashed packets: 0
> Input hashed bytes: 0
> Decrypted packets: 0
> Decrypted bytes: 83248
> [Output statistics]
> Output packets: 0
> Output bad packets: 0
> Output bytes: 597288
> Output hashed packets: 0
> Output hashed bytes: 0
> Encrypted packets: 0
> Encrypted bytes: 597496
> [Diffie-Hellman statistics]
> Keys generated: 0
> Secret keys derived: 0
> [RSA statistics]
> Keys generated: 15
> Signatures: 14
> Verifications: 0
> Encrypted packets: 0
> Encrypted bytes: 0
> Decrypted packets: 0
> Decrypted bytes: 0
> [DSA statistics]
> Keys generated: 0
> Signatures: 0
> Verifications: 0
> [SSL statistics]
> Outbound records: 0
> Inbound records: 0
> [RNG statistics]
> Random number requests: 97
> Random number request failures: 0
>
> [Accelerator 1]
> Status: OK
> Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x 0)
> Boot microcode : CNlite-MC-Boot-Cisco-1.2
> SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
> IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
> Slot: 1
> Active time: 14256255 seconds
> Total crypto transforms: 1307288
> Total dropped packets: 0
> [Input statistics]
> Input packets: 124683
> Input bytes: 18314428
> Input hashed packets: 119809
> Input hashed bytes: 9333356
> Decrypted packets: 124684
> Decrypted bytes: 14084580
> [Output statistics]
> Output packets: 525539
> Output bad packets: 0
> Output bytes: 143003844
> Output hashed packets: 127357
> Output hashed bytes: 13210864
> Encrypted packets: 525539
> Encrypted bytes: 136827532
> [Diffie-Hellman statistics]
> Keys generated: 3281
> Secret keys derived: 2832
> [RSA statistics]
> Keys generated: 0
> Signatures: 0
> Verifications: 0
> Encrypted packets: 0
> Encrypted bytes: 0
> Decrypted packets: 0
> Decrypted bytes: 0
> [DSA statistics]
> Keys generated: 0
> Signatures: 0
> Verifications: 0
> [SSL statistics]
> Outbound records: 398182
> Inbound records: 4875
> [RNG statistics]
> Random number requests: 30465
> Random number request failures: 0
>
>
>> Hope this helps.
>> Prabhu
>> -
>>
>>
>> Paul Murphy wrote:
>>> Have you checked your rekey duration on both sides? It looks like one
>> peer
>>> has a considerably shorter rekey value.
>>>
>>> Thanks,
>>>
>>> Paul Murphy
>>>
>>>
>>>
>>>
>>>
>>
>>> ditribar@gmx.de
>>
>>> Sent by:
>>
>>> firewall-wizards-
>> To
>>> bounces@listserv.
>> firewall-wizards@honor.icsalabs.com
>>> icsalabs.com
>> cc
>>>
>>
>>>
>> Subject
>>> 05/31/2007 12:24 [fw-wiz] Cisco VPN reconnection
>>
>>> PM every 23 minutes
>>
>>>
>>
>>>
>>
>>> Please respond to
>>
>>> Firewall Wizards
>>
>>> Security Mailing
>>
>>> List
>>
>>> <firewall-wizards
>>
>>> @listserv.icsalab
>>
>>> s.com>
>>
>>>
>>
>>>
>>
>>>
>>>
>>>
>>> can anybody help me to solve the following problem?
>>>
>>> A VPN Tunnel is established and working so far, but the connection
>> gets
>>> reconnected about every 23 minutes.
>>>
>>> Here are some logs whats happening on PEER1 (AAA.BBB.CCC.DDD) (CISCO
>>> ASA 5500):
>>>
>>> Peer connect
>>>
>>> 2007-05-31T17:30:08+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713041: IP
>> =
>>> REMOTE_PEER_IP, IKE Initiator: New Phase 1, Intf inside, IKE Peer
>>> REMOTE_PEER_IP local Proxy Address LOCAL_PROXY_IP, remote Proxy Address
>>> REMOTE_LAN_IP, Crypto map (outside_map)
>>> 2007-05-31T17:30:10+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-713903:
>>> Group = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Freeing previously
>> allocated
>>> memory for authorization-dn-attributes
>>> 2007-05-31T17:30:10+0100 AAA.BBB.CCC.DDD err local4 %ASA-3-713119: Group
>> =
>>> REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 1 COMPLETED
>>> 2007-05-31T17:30:11+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713073:
>> Group
>>> = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Responder forcing change of IPSec
>>> rekeying duration from 28800 to 3600 seconds
>>> 2007-05-31T17:30:11+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713049:
>> Group
>>> = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Security negotiation complete for
>>> LAN-to-LAN Group (REMOTE_PEER_IP) Initiator, Inbound SPI = 0x8d72d873,
>>> Outbound SPI = 0xee7d09b6
>>> 2007-05-31T17:30:11+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713120:
>> Group
>>> = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 2 COMPLETED
>> (msgid=2a2a6615)
>>> Peer disconnect again
>>>
>>> 2007-05-31T17:53:46+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713050:
>> Group
>>> = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Connection terminated for peer
>>> REMOTE_PEER_IP. Reason: Peer Terminate Remote Proxy N/A, Local Proxy
>> N/A
>>> 2007-05-31T17:53:46+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-113019:
>>> Group = REMOTE_PEER_IP, Username = REMOTE_PEER_IP, IP = REMOTE_PEER_IP,
>>> Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:23m:36s,
>>> Bytes xmt: 6572, Bytes rcv: 7772, Reason: User Requested
>>> 2007-05-31T17:53:58+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713041: IP
>> =
>>> REMOTE_PEER_IP, IKE Initiator: New Phase 1, Intf inside, IKE Peer
>>> REMOTE_PEER_IP local Proxy Address LOCAL_PROXY_IP, remote Proxy Address
>>> REMOTE_LAN_IP, Crypto map (outside_map)
>>> 2007-05-31T17:54:00+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-713903:
>>> Group = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Freeing previously
>> allocated
>>> memory for authorization-dn-attributes
>>> 2007-05-31T17:54:00+0100 AAA.BBB.CCC.DDD err local4 %ASA-3-713119: Group
>> =
>>> REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 1 COMPLETED
>>> 2007-05-31T17:54:01+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713073:
>> Group
>>> = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Responder forcing change of IPSec
>>> rekeying duration from 28800 to 3600 seconds
>>> 2007-05-31T17:54:01+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713049:
>> Group
>>> = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Security negotiation complete for
>>> LAN-to-LAN Group (REMOTE_PEER_IP) Initiator, Inbound SPI = 0x695fe990,
>>> Outbound SPI = 0x792e9c57
>>> 2007-05-31T17:54:01+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713120:
>> Group
>>> = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 2 COMPLETED
>> (msgid=b6a126bc)
>>> Manual disconnect
>>>
>>> 2007-05-31T18:00:32+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-113019:
>>> Group = REMOTE_PEER_IP, Username = REMOTE_PEER_IP, IP = REMOTE_PEER_IP,
>>> Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:06m:31s,
>>> Bytes xmt: 0, Bytes rcv: 0, Reason: Administrator Reset
>>> 2007-05-31T18:00:32+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713050:
>> Group
>>> = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Connection terminated for peer
>>> REMOTE_PEER_IP. Reason: Administrator Reset Remote Proxy
>> REMOTE_LAN_IP,
>>> Local Proxy LOCAL_PROXY_IP
>>> 2007-05-31T18:00:39+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713041: IP
>> =
>>> REMOTE_PEER_IP, IKE Initiator: New Phase 1, Intf inside, IKE Peer
>>> REMOTE_PEER_IP local Proxy Address LOCAL_PROXY_IP, remote Proxy Address
>>> REMOTE_LAN_IP, Crypto map (outside_map)
>>> 2007-05-31T18:00:40+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-713903:
>>> Group = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Freeing previously
>> allocated
>>> memory for authorization-dn-attributes
>>> 2007-05-31T18:00:40+0100 AAA.BBB.CCC.DDD err local4 %ASA-3-713119: Group
>> =
>>> REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 1 COMPLETED
>>> 2007-05-31T18:00:41+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713073:
>> Group
>>> = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Responder forcing change of IPSec
>>> rekeying duration from 28800 to 3600 seconds
>>> 2007-05-31T18:00:41+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713049:
>> Group
>>> = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Security negotiation complete for
>>> LAN-to-LAN Group (REMOTE_PEER_IP) Initiator, Inbound SPI = 0x6bccacec,
>>> Outbound SPI = 0x7a216c5f
>>> 2007-05-31T18:00:41+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713120:
>> Group
>>> = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 2 COMPLETED
>> (msgid=fe0bd283)
>>> Peer disconnect again
>>>
>>> 2007-05-31T18:24:12+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713050:
>> Group
>>> = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Connection terminated for peer
>>> REMOTE_PEER_IP. Reason: Peer Terminate Remote Proxy N/A, Local Proxy
>> N/A
>>> 2007-05-31T18:24:12+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-113019:
>>> Group = REMOTE_PEER_IP, Username = REMOTE_PEER_IP, IP = REMOTE_PEER_IP,
>>> Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:23m:32s,
>>> Bytes xmt: 6104, Bytes rcv: 6616, Reason: User Requested
>>> 2007-05-31T18:25:52+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713041: IP
>> =
>>> REMOTE_PEER_IP, IKE Initiator: New Phase 1, Intf inside, IKE Peer
>>> REMOTE_PEER_IP local Proxy Address LOCAL_PROXY_IP, remote Proxy Address
>>> REMOTE_LAN_IP, Crypto map (outside_map)
>>> 2007-05-31T18:25:54+0100 AAA.BBB.CCC.DDD warning local4 %ASA-4-713903:
>>> Group = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Freeing previously
>> allocated
>>> memory for authorization-dn-attributes
>>> 2007-05-31T18:25:54+0100 AAA.BBB.CCC.DDD err local4 %ASA-3-713119: Group
>> =
>>> REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 1 COMPLETED
>>> 2007-05-31T18:25:55+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713073:
>> Group
>>> = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Responder forcing change of IPSec
>>> rekeying duration from 28800 to 3600 seconds
>>> 2007-05-31T18:25:55+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713049:
>> Group
>>> = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, Security negotiation complete for
>>> LAN-to-LAN Group (REMOTE_PEER_IP) Initiator, Inbound SPI = 0xba41c143,
>>> Outbound SPI = 0xb16e5642
>>> 2007-05-31T18:25:55+0100 AAA.BBB.CCC.DDD notice local4 %ASA-5-713120:
>> Group
>>> = REMOTE_PEER_IP, IP = REMOTE_PEER_IP, PHASE 2 COMPLETED
>> (msgid=c825a866)
>>> ..... disconnect occurs about every 23 minutes
>>>
>>>
>>> Any ideas?
>>>
>>> Kind regards
>>>
>>> ditribar
>>> --
>>> Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten
>>> Browser-Versionen downloaden: http://www.gmx.net/de/go/browser
>>> _______________________________________________
>>> firewall-wizards mailing list
>>> firewall-wizards@listserv.icsalabs.com
>>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>>>
>>> _______________________________________________
>>> firewall-wizards mailing list
>>> firewall-wizards@listserv.icsalabs.com
>>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>>>
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@listserv.icsalabs.com
>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 14, Issue 4
***********************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)