Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 18 replies
  • Answers 1 answer
  • Subscribers 7 subscribers
  • Views 17140 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problem with UTM 9 connection to Azure

Sedat EKSI

Hi All,

We have UTM 9 and firmware version is 9.603-1.  We have established a VPN connection to Azure. We have already one other connection to our branch We could not find the reason but it starts to give duplicate message problems and then the connection is dropping with Azure.   It happend every 2-4 days. 

2019:07:10-15:18:45 utm pluto[6401]: "S_REF_IpsSitAzure_0" #397: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)

2019:07:10-15:18:45 utm pluto[6401]: "S_REF_IpsSitAzure_0" #397: sending encrypted notification INVALID_MESSAGE_ID to 168.63.44.99:500

2019:07:10-15:18:45 utm pluto[6401]: "S_REF_IpsSitAzure_0" #397: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x02000000 (perhaps this is a duplicated packet) 2019:07:10-15:18:45 utm pluto[6401]: "S_REF_IpsSitAzure_0" #397: sending encrypted notification INVALID_MESSAGE_ID to *:500

If vpn is working , there is no error message and everthing is working fine.

We are using policy based routing and we have tried to connect with Route based policy with Azure we could not connect the Azure. Microsoft says that, Route based policies are much stable compared to policay based route.

Can somebody suggest some resolution for this ? Thanks in advance.

Sedat EU 



This thread was automatically locked due to age.
Parents
  • 0

    Hi Sedat,

    Unfortunately, Route Based is not compatible with the UTM and there aren't any workarounds (as will also need IKEv2).

    It looks like you may have a misconfiguration in the key lifetimes, have you confirmed all the settings? If you want to post your config, that would be helpful.

    Emile

Reply
  • 0

    Hi Sedat,

    Unfortunately, Route Based is not compatible with the UTM and there aren't any workarounds (as will also need IKEv2).

    It looks like you may have a misconfiguration in the key lifetimes, have you confirmed all the settings? If you want to post your config, that would be helpful.

    Emile

Children
  • 0 in reply to Emile Belcourt

     

    and the logs, it starts with duplicate messages and after 1-2 minutes, it drops the session and needs to restart to reconnect or restart the connection.

     

    2019:07:07-05:05:32 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: responding to Main Mode

    2019:07:07-05:05:32 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: Peer ID is ID_IPV4_ADDR: 'AzureWANIP'

    2019:07:07-05:05:32 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: sent MR3, ISAKMP SA established

    2019:07:07-05:05:32 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: cannot respond to IPsec SA request because no connection is known for 192.168.0.0/16===LocalWANIP[LocalWANIP]...AzureWANIP[AzureWANIP]===10.4.0.0/16

    2019:07:07-05:05:32 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: sending encrypted notification INVALID_ID_INFORMATION to AzureWANIP:500

    2019:07:07-05:05:33 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)

    2019:07:07-05:05:33 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: sending encrypted notification INVALID_MESSAGE_ID to AzureWANIP:500

    2019:07:07-05:05:34 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)

    2019:07:07-05:05:34 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: sending encrypted notification INVALID_MESSAGE_ID to AzureWANIP:500

    2019:07:07-05:05:35 utm pluto[6401]: "S_REF_IpsSitAzure_0" #141: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #139 {using isakmp#140}

    2019:07:07-05:05:35 utm pluto[6401]: "S_REF_IpsSitAzure_0" #141: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag

    2019:07:07-05:05:35 utm pluto[6401]: "S_REF_IpsSitAzure_0" #141: sent QI2, IPsec SA established {ESP=>0x10b00906 <0x5a762f83}

    2019:07:07-05:05:35 utm pluto[6401]: "S_REF_IpsSitAzure_0" #141: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag

    2019:07:07-05:05:35 utm pluto[6401]: "S_REF_IpsSitAzure_0" #141: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)

    2019:07:07-05:05:35 utm pluto[6401]: "S_REF_IpsSitAzure_0" #141: sending encrypted notification INVALID_PAYLOAD_TYPE to AzureWANIP:500

    2019:07:07-05:05:37 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)

    2019:07:07-05:05:37 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: sending encrypted notification INVALID_MESSAGE_ID to AzureWANIP:500

    2019:07:07-05:05:44 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)

    2019:07:07-05:05:44 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: sending encrypted notification INVALID_MESSAGE_ID to AzureWANIP:500

    2019:07:07-05:05:59 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)

    2019:07:07-05:05:59 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: sending encrypted notification INVALID_MESSAGE_ID to AzureWANIP:500

    2019:07:07-05:06:14 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)

    2019:07:07-05:06:14 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: sending encrypted notification INVALID_MESSAGE_ID to AzureWANIP:500

    2019:07:07-05:06:29 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: received Delete SA payload: replace IPSEC State #141 in 10 seconds

    2019:07:07-05:06:29 utm pluto[6401]: packet from AzureWANIP:500: ignoring Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]

    2019:07:07-05:06:29 utm pluto[6401]: packet from AzureWANIP:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]

    2019:07:07-05:06:29 utm pluto[6401]: packet from AzureWANIP:500: ignoring Vendor ID payload [RFC 3947]

    2019:07:07-05:06:29 utm pluto[6401]: packet from AzureWANIP:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]

    2019:07:07-05:06:29 utm pluto[6401]: packet from AzureWANIP:500: ignoring Vendor ID payload [FRAGMENTATION]

    2019:07:07-05:06:29 utm pluto[6401]: packet from AzureWANIP:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]

    2019:07:07-05:06:29 utm pluto[6401]: packet from AzureWANIP:500: ignoring Vendor ID payload [Vid-Initial-Contact]

    2019:07:07-05:06:29 utm pluto[6401]: packet from AzureWANIP:500: ignoring Vendor ID payload [IKE CGA version 1]

    2019:07:07-05:06:29 utm pluto[6401]: "S_REF_IpsSitAzure_0" #142: responding to Main Mode

    2019:07:07-05:06:29 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: received Delete SA payload: deleting ISAKMP State #140

    2019:07:07-05:06:29 utm pluto[6401]: "S_REF_IpsSitAzure_0" #142: Peer ID is ID_IPV4_ADDR: 'AzureWANIP'

    2019:07:07-05:06:29 utm pluto[6401]: "S_REF_IpsSitAzure_0" #142: sent MR3, ISAKMP SA established

    2019:07:07-05:06:29 utm pluto[6401]: "S_REF_IpsSitAzure_0" #142: cannot respond to IPsec SA request because no connection is known for 192.168.0.0/16===LocalWANIP[LocalWANIP]...AzureWANIP[AzureWANIP]===10.4.0.0/16

    2019:07:07-05:06:29 utm pluto[6401]: "S_REF_IpsSitAzure_0" #142: sending encrypted notification INVALID_ID_INFORMATION to AzureWANIP:500

    2019:07:07-05:06:30 utm pluto[6401]: "S_REF_IpsSitAzure_0" #142: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)

    2019:07:07-05:06:30 utm pluto[6401]: "S_REF_IpsSitAzure_0" #142: sending encrypted notification INVALID_MESSAGE_ID to AzureWANIP:500

    2019:07:07-05:06:31 utm pluto[6401]: "S_REF_IpsSitAzure_0" #142: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)

    2019:07:07-05:06:31 utm pluto[6401]: "S_REF_IpsSitAzure_0" #142: sending encrypted notification INVALID_MESSAGE_ID to AzureWANIP:500

    2019:07:07-05:06:34 utm pluto[6401]: "S_REF_IpsSitAzure_0" #142: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)

    2019:07:07-05:06:34 utm pluto[6401]: "S_REF_IpsSitAzure_0" #142: sending encrypted notification INVALID_MESSAGE_ID to AzureWANIP:500

    2019:07:07-05:06:39 utm pluto[6401]: "S_REF_IpsSitAzure_0" #143: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #141 {using isakmp#142}

    2019:07:07-05:06:39 utm pluto[6401]: "S_REF_IpsSitAzure_0" #143: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag

Unfiltered HTML