This is a discussion on [fw-wiz] CVPN3000 Tunnel Renegotiation Problems - Firewalls ; We have an IPSec Lan-to-Lan tunnel configured between a VPN1 and CVPN3015 that will drop once or twice a week. When it drops it seems to be unable to complete phase 1 negotiation for a new tunnel for long periods ...
We have an IPSec Lan-to-Lan tunnel configured between a VPN1 and
CVPN3015 that will drop once or twice a week. When it drops it seems to
be unable to complete phase 1 negotiation for a new tunnel for long
periods of time, although it tries constantly.
Here's what we're seeing in the CVPN log:
Apr 18 06:43:13 CVPN3015 7611550 04/18/2006 06:45:01.510 SEV=8 IKEDBG/84
RPT=3969 10.54.41.59 Group [10.54.41.59] QM IsRekeyed sa already being
Apr 18 06:43:13 CVPN3015 7611551 04/18/2006 06:45:01.510 SEV=4 IKEDBG/97
RPT=5020 10.54.41.59 Group [10.54.41.59] QM FSM error (P2 struct
&0x77d717c, mess id 0xcbd52404)!
Apr 18 06:43:13 CVPN3015 7611554 04/18/2006 06:45:01.510 SEV=7 IKEDBG/65
RPT=5075 10.54.41.59 Group [10.54.41.59] IKE QM Responder FSM error
history (struct &0x77d717c)
, : QM_DONE, EV_ERROR
QM_BLD_MSG2, EV_IS_REKEY QM_BLD_MSG2, EV_CONFIRM_SA QM_BLD_MSG2, EV_PROC_MSG
Apr 18 06:43:13 CVPN3015 7611557 04/18/2006 06:45:01.510 SEV=9 IKEDBG/0
RPT=859163 sending delete/delete with reason message
When we look up IKEDBG/84 on the Cisco support site we get "This Debug
event is for Cisco Engineering purposes only." IKEDBG/97 returns "This
event indicates an error has occurred within the phase 2 state machine."
We've requested logging data from the far end but won't have it for
another day or so.
Anyone have an idea what's wrong here?
firewall-wizards mailing list