IPsec tunnel keep crashing

Question

I have 2 locations. On each location is installed VPN device Cisco RV042. Link between location is optical fiber. ISP is the same. Link speed on location A is symetric 3/3 Mbps, and there is static address. Link speed on the location B is 10/10 Mbps also with static IP address. Distance between locations is 350 km.

When I create VPN IPsec tunnel between offices everything works fine for about 10 minutes and then it crashes. Then, after some time connection is back and again fail after couple of minutes. For test purposes, I have created another IPsec tunnel from my home to Location A and B. I have ADSL 4/512kb with dynamic ip address. Everything works fine between my home and location A, connection never crashes, but at the same time location B keep crashes from location A and from my test device. I've conntacted ISP and they told me to change MTU.

I was changing MTU from 1500 to 1100 in steps from 10, but no luck. I went to location B and change device with one that worked from my home lab, and stil the same problem. ISP did some tests but as they said, everything OK on they side. There are some logs from my device:

 System Log   NSD SUCCESS WAN[1]  ˙˙Sep 24 13:10:28 2011

 System Log   NSD FAIL WAN[1]  Sep 24 13:16:18 2011

 System Log   NSD SUCCESS WAN[1]  Sep 24 13:20:48 2011

 System Log   NSD FAIL WAN[1]  Sep 24 13:24:08 2011

 System Log   NSD SUCCESS WAN[1]  Sep 24 13:27:18 2011

 System Log   NSD FAIL WAN[1]  Sep 24 13:35:08 2011

 System Log   NSD SUCCESS WAN[1]  Sep 24 13:39:38 2011

 System Log   NSD FAIL WAN[1]  Sep 24 13:46:28 2011

 System Log   NSD SUCCESS WAN[1]  Sep 24 13:49:38 2011

 System Log   NSD FAIL WAN[1]  Sep 24 13:55:58 2011

 System Log   NSD SUCCESS WAN[1]  Sep 24 14:00:28 2011

 System Log   NSD FAIL WAN[1]  Sep 24 14:07:48 2011

 System Log   NSD SUCCESS WAN[1]  Sep 24 14:10:18 2011

 System Log   NSD FAIL WAN[1]  Sep 24 14:16:09 2011

 System Log   NSD SUCCESS WAN[1]  Sep 24 14:19:19 2011

 System Log   NSD FAIL WAN[1]  Sep 24 14:24:39 2011

 System Log   NSD SUCCESS WAN[1]  Sep 24 14:27:49 2011

 System Log   NSD FAIL WAN[1]  Sep 24 14:33:09 2011

 System Log   NSD SUCCESS WAN[1]  Sep 24 14:36:19 2011

 System Log   NSD FAIL WAN[1]  Sep 24 14:42:39 2011

Is there anyone with similiar problem, or any idea? Thanks in advance

There is more output:

VPN Log (g2gips0) #3694: Peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx'
VPN Log (g2gips0) #3694: responding to Aggressive Mode, state #3694, connection 'g2gips0' from xxx.xxx.xxx.xxx
VPN Log (g2gips0) #3694: [Tunnel Negotiation Info] >>> Responder Send Aggressive Mode 2nd packet
VPN Log (g2gips0) #3694: [Tunnel Negotiation Info] >>> Responder Send Aggressive Mode 2nd packet
VPN Log (g2gips0) #3691: max number of retransmissions (2) reached STATE_AGGR_R1
VPN Log (g2gips0) #3691: max number of retransmissions (2) reached STATE_AGGR_R1
VPN Log packet from xxx.xxx.xxx.xxx:500: received Vendor ID payload [Dead Peer Detection]
VPN Log packet from xxx.xxx.xxx.xxx:500: received Vendor ID payload [Dead Peer Detection]
VPN Log packet from xxx.xxx.xxx.xxx:500: [Tunnel Negotiation Info] <<< Responder Received Aggressive Mode 1st packet
VPN Log packet from xxx.xxx.xxx.xxx:500: [Tunnel Negotiation Info] <<< Responder Received Aggressive Mode 1st packet

I would suggest looking into debugging to see exactly what's occuring. Specifically, this sounds like a problem with the IKE key renegotiation timer and the renegotiations. Are both Cisco RV042 on the same firmware version? Another suggestion is to perform a packet capture. Surprisingly, I'm facing a firmware bug right now related to my side trying to offer dead peer detection even though it's disabled. I was only able to see this through a packet capture. — mbrownnyc, Sep 27 '11 at 20:33
Yes, both devices is on the same firmware version. Thanks for suggestion about IKE key. I will try that now. — peca, Sep 27 '11 at 20:40
Also, I'm not familiar with [the hardware](http://www.cisco.com/en/US/docs/routers/csbr/rv0xx/administration/guide/rv0xx_AG_78-19576.pdf), but if there's something like a keep alive option (which likely sends some packets over the line every once and a while), try enabling that... although, the tunnel should be brought back up once traffic is trying to be sent over it. Also, come to think of it, try to see if it drops when a ping is sent very infrequently, maybe once during the entire P1 keylife? once during the P2 keylife? — mbrownnyc, Sep 27 '11 at 20:48
keep alive is enabled on both devices, also Dead peer detection is enabled. Tunnel breaks before P1 or P2 lifetime exceed. Its is not persistent more than 7 minutes. I cannot reach problem because, same VPN device with same configuration (except IP address) works on ADSL connection on one side which connects on location A. — peca, Sep 27 '11 at 21:03
I can ping servers, pcs, gateways... on the both sides when tunnel is established (from location A to location B and vice versa). I use ping ip.addr.of.remote -n 1000 but after couple minutes conection goes down whether traffic goes througt tunnel or dont. — peca, Sep 28 '11 at 16:10
This is quite interesting. Did you try to find a debugging facility within the device? Did you try putting a packet sniffer in-line passed the devices? — mbrownnyc, Sep 28 '11 at 20:34
Here is complete output from debugging. Note that my ip address is replaced with xxx.xxx.xxx.xxx: — peca, Sep 29 '11 at 19:45
I obviously can't see that... but it's a matter of troubleshooting what exactly is happening when the tunnel drops. For instance, is it a renegotiation problem? The best way, and I think the best way to analyze the problem, is putting a packet capture device between "the internet" and your VPN device. You should be able to capture the IKE transmissions, and see many more things... It should give you very very detailed information and hopefully help you see exactly what's dropping and when. — mbrownnyc, Sep 30 '11 at 18:01

score 1 · Answer 1 · answered Sep 29 '11 at 21:53

1

Are either of the RV042 behind a firewall? Have you tried an older firmware on both? Can you get a third RV042 and try swapping out site B then try site A? Do both RV042 have identical date / time (do they look at the same NTP server)?

answered Sep 29 '11 at 21:53

orbitron

391
1
2
6

No, they are not behind firewall. Tried old firmware. As I mentioned, both RV042 are changed, swapped, and if I connect the one that "doesn't" working on the other ISP, which have ADSL line everything works fine. Also, time and date was first set to the same NTP server, then I set time manually. Thanks for advices. BR – peca Oct 03 '11 at 12:49

score 0 · Answer 2 · answered Feb 29 '12 at 11:53

0

Problem was on the ISP side. My ip address was propageted on two different subnet through BGP. Thanks all for participating.

Regards,

answered Feb 29 '12 at 11:53

peca

74
1
7

IPsec tunnel keep crashing

2 Answers2