Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 3 subscribers
  • Views 13319 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issue with Avaya 9611 VPN phone and IPSEC connection dropping

Nick Pirog

Hello,

 

We have been having random drops for a user using an Avaya 9611 VPN phone connecting via IPSEC remote access. Sometimes when the phone drops, he will get VPN Tunnel failure.

 

The user is using a Netgear c6300 router with Xfinity as his ISP. He has opened all of the needed ports and even placed his phone on his dmz. SIP ALG is open and the router is set to allow internet ICMP packets. Below is our configuration for the IP Sec policy:

Name: VPNPHONE

IKE Encryption: 3DES

IKE Authentication: SHA1

IKE SA lifetime: 7800

IKE DH group 2 MODP 1024

IPSEC encryption: 3DES

IPSEC authentication: SHA1

IPSEC SA lifetime: 3600

IPSEC PFS group: group 2 MOPD 1024

strict policy: no

compression: no 

IPSEC remote access rule:

Interface: External (WAN)

local networks: Lan where IPO resides /24

virtual ip pool: VPN Pool (IPSEC)

policy: VPNPHONE

Authentication type: PSK

enable xauth: yes

allowed users: user1

 

I have attached an excerpt from the firewall log of last night/today. I thought I had it working until another disconect happened today. Any help is appreciated thank you.

 

/var/log/ipsec.log:2017:05:03-10:17:07 usafirewall1-1[32494]: "D_REF_IpsRoaVpnphone_0"[44] yy.yy.yyy.yyy:4500 #16984: IPsec SA expired (LATEST!)
/var/log/ipsec.log:2017:05:03-10:17:07 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[44] yy.yy.yyy.yyy:4500 #16984: IPsec SA expired (LATEST!)
/var/log/ipsec.log:2017:05:03-10:17:07 usafirewall1-1[32494]: "D_REF_IpsRoaVpnphone_0"[44] yy.yy.yyy.yyy:4500: deleting connection "D_REF_IpsRoaVpnphone_0"[44] instance with peer yy.yy.yyy.yyy {isakmp=#0/ipsec=#0}
/var/log/ipsec.log:2017:05:03-10:17:07 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[44] yy.yy.yyy.yyy:4500: deleting connection "D_REF_IpsRoaVpnphone_0"[44] instance with peer yy.yy.yyy.yyy {isakmp=#0/ipsec=#0}
/var/log/ipsec.log:2017:05:03-10:18:41 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[45] yy.yy.yyy.yyy:4500 #17417: responding to Main Mode from unknown peer yy.yy.yyy.yyy:4500
/var/log/ipsec.log:2017:05:03-10:18:41 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[45] yy.yy.yyy.yyy:4500 #17417: peer requested 432000 seconds which exceeds our limit 86400 seconds
/var/log/ipsec.log:2017:05:03-10:18:41 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[45] yy.yy.yyy.yyy:4500 #17417: lifetime reduced to 86400 seconds (todo: IPSEC_RESPONDER_LIFETIME notification)
/var/log/ipsec.log:2017:05:03-10:18:42 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[45] yy.yy.yyy.yyy:4500 #17417: NAT-Traversal: Result using RFC 3947: peer is NATed
/var/log/ipsec.log:2017:05:03-10:18:42 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[45] yy.yy.yyy.yyy:4500 #17417: Peer ID is ID_USER_FQDN: 'VPNPHONE'
/var/log/ipsec.log:2017:05:03-10:18:42 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[46] yy.yy.yyy.yyy:4500 #17417: deleting connection "D_REF_IpsRoaVpnphone_0"[45] instance with peer yy.yy.yyy.yyy {isakmp=#0/ipsec=#0}
/var/log/ipsec.log:2017:05:03-10:18:42 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[46] yy.yy.yyy.yyy:4500 #17417: sent MR3, ISAKMP SA established
/var/log/ipsec.log:2017:05:03-10:18:42 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[46] yy.yy.yyy.yyy:4500 #17417: sending XAUTH request
/var/log/ipsec.log:2017:05:03-10:18:42 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[46] yy.yy.yyy.yyy:4500 #17417: parsing XAUTH reply
/var/log/ipsec.log:2017:05:03-10:18:42 usafirewall1-1[22520]: "D_REF_IpsRoaVpnphone_0"[46] yy.yy.yyy.yyy:4500 #17417: extended authentication was successful
/var/log/ipsec.log:2017:05:03-10:18:42 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[46] yy.yy.yyy.yyy:4500 #17417: sending XAUTH status
/var/log/ipsec.log:2017:05:03-10:18:42 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[46] yy.yy.yyy.yyy:4500 #17417: parsing XAUTH ack
/var/log/ipsec.log:2017:05:03-10:18:42 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[46] yy.yy.yyy.yyy:4500 #17417: received XAUTH ack, established
/var/log/ipsec.log:2017:05:03-10:18:42 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[46] yy.yy.yyy.yyy:4500 #17417: parsing ModeCfg request
/var/log/ipsec.log:2017:05:03-10:18:42 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[46] yy.yy.yyy.yyy:4500 #17417: peer requested virtual IP 10.242.4.1
/var/log/ipsec.log:2017:05:03-10:18:42 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[46] yy.yy.yyy.yyy:4500 #17417: assigning virtual IP 10.242.4.1 to peer
/var/log/ipsec.log:2017:05:03-10:18:42 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[46] yy.yy.yyy.yyy:4500 #17417: sending ModeCfg reply
/var/log/ipsec.log:2017:05:03-10:18:42 usafirewall1-1[32494]: "D_REF_IpsRoaVpnphone_0"[46] yy.yy.yyy.yyy:4500: deleting connection "D_REF_IpsRoaVpnphone_0"[46] instance with peer yy.yy.yyy.yyy {isakmp=#0/ipsec=#0}
/var/log/ipsec.log:2017:05:03-10:18:42 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[46] yy.yy.yyy.yyy:4500 #17417: sent ModeCfg reply, established
/var/log/ipsec.log:2017:05:03-10:18:43 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[46] yy.yy.yyy.yyy:4500 #17417: ignoring informational payload, type IPSEC_INITIAL_CONTACT
/var/log/ipsec.log:2017:05:03-10:18:43 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[46] yy.yy.yyy.yyy:4500 #17418: responding to Quick Mode
/var/log/ipsec.log:2017:05:03-10:18:44 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[46] yy.yy.yyy.yyy:4500 #17418: IPsec SA established {ESP=>0xf4ea9139 <0x6e6fade3 NATOA=0.0.0.0}
/var/log/ipsec.log:2017:05:03-10:24:14 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17454: responding to Main Mode from unknown peer xxx.x.xxx.xx:4500
/var/log/ipsec.log:2017:05:03-10:24:14 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17454: peer requested 432000 seconds which exceeds our limit 86400 seconds
/var/log/ipsec.log:2017:05:03-10:24:14 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17454: lifetime reduced to 86400 seconds (todo: IPSEC_RESPONDER_LIFETIME notification)
/var/log/ipsec.log:2017:05:03-10:24:15 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17454: NAT-Traversal: Result using RFC 3947: peer is NATed
/var/log/ipsec.log:2017:05:03-10:24:15 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17454: Peer ID is ID_USER_FQDN: 'VPNPHONE'
/var/log/ipsec.log:2017:05:03-10:24:15 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17454: sent MR3, ISAKMP SA established
/var/log/ipsec.log:2017:05:03-10:24:15 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17454: sending XAUTH request
/var/log/ipsec.log:2017:05:03-10:24:15 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17454: parsing XAUTH reply
/var/log/ipsec.log:2017:05:03-10:24:15 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17454: extended authentication was successful
/var/log/ipsec.log:2017:05:03-10:24:15 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17454: sending XAUTH status
/var/log/ipsec.log:2017:05:03-10:24:15 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17454: parsing XAUTH ack
/var/log/ipsec.log:2017:05:03-10:24:15 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17454: received XAUTH ack, established
/var/log/ipsec.log:2017:05:03-10:24:15 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17454: parsing ModeCfg request
/var/log/ipsec.log:2017:05:03-10:24:15 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17454: peer requested virtual IP 10.242.4.3
/var/log/ipsec.log:2017:05:03-10:24:15 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17454: assigning virtual IP 10.242.4.3 to peer
/var/log/ipsec.log:2017:05:03-10:24:15 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17454: sending ModeCfg reply
/var/log/ipsec.log:2017:05:03-10:24:15 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17454: sent ModeCfg reply, established
/var/log/ipsec.log:2017:05:03-10:24:16 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17454: ignoring informational payload, type IPSEC_INITIAL_CONTACT
/var/log/ipsec.log:2017:05:03-10:24:16 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17455: responding to Quick Mode
/var/log/ipsec.log:2017:05:03-10:24:16 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17455: IPsec SA established {ESP=>0xa7690b43 <0x2a64f68d NATOA=0.0.0.0}
/var/log/ipsec.log:2017:05:03-10:44:07 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17573: responding to Main Mode from unknown peer xxx.x.xxx.xx:4500
/var/log/ipsec.log:2017:05:03-10:44:07 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17573: peer requested 432000 seconds which exceeds our limit 86400 seconds
/var/log/ipsec.log:2017:05:03-10:44:07 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17573: lifetime reduced to 86400 seconds (todo: IPSEC_RESPONDER_LIFETIME notification)
/var/log/ipsec.log:2017:05:03-10:44:08 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17573: NAT-Traversal: Result using RFC 3947: peer is NATed
/var/log/ipsec.log:2017:05:03-10:44:08 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17573: Peer ID is ID_USER_FQDN: 'VPNPHONE'
/var/log/ipsec.log:2017:05:03-10:44:08 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17573: sent MR3, ISAKMP SA established
/var/log/ipsec.log:2017:05:03-10:44:08 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17573: sending XAUTH request
/var/log/ipsec.log:2017:05:03-10:44:18 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17573: parsing XAUTH reply
/var/log/ipsec.log:2017:05:03-10:44:18 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17573: extended authentication was successful
/var/log/ipsec.log:2017:05:03-10:44:18 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17573: sending XAUTH status
/var/log/ipsec.log:2017:05:03-10:44:18 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17573: parsing XAUTH ack
/var/log/ipsec.log:2017:05:03-10:44:18 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17573: received XAUTH ack, established
/var/log/ipsec.log:2017:05:03-10:44:18 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17573: parsing ModeCfg request
/var/log/ipsec.log:2017:05:03-10:44:18 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17573: peer requested virtual IP 10.242.4.3
/var/log/ipsec.log:2017:05:03-10:44:18 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17573: assigning virtual IP 10.242.4.3 to peer
/var/log/ipsec.log:2017:05:03-10:44:18 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17573: sending ModeCfg reply
/var/log/ipsec.log:2017:05:03-10:44:18 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17573: sent ModeCfg reply, established
/var/log/ipsec.log:2017:05:03-10:44:19 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17573: ignoring informational payload, type IPSEC_INITIAL_CONTACT
/var/log/ipsec.log:2017:05:03-10:44:19 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17575: responding to Quick Mode
/var/log/ipsec.log:2017:05:03-10:44:19 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17575: IPsec SA established {ESP=>0xade45e4e <0x877b7d5e NATOA=0.0.0.0}
/var/log/ipsec.log:2017:05:03-11:09:07 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17726: responding to Main Mode from unknown peer xxx.x.xxx.xx:4500
/var/log/ipsec.log:2017:05:03-11:09:07 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17726: peer requested 432000 seconds which exceeds our limit 86400 seconds
/var/log/ipsec.log:2017:05:03-11:09:07 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17726: lifetime reduced to 86400 seconds (todo: IPSEC_RESPONDER_LIFETIME notification)
/var/log/ipsec.log:2017:05:03-11:09:07 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17726: ignoring informational payload, type INVALID_COOKIE
/var/log/ipsec.log:2017:05:03-11:09:08 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17727: responding to Main Mode from unknown peer xxx.x.xxx.xx:4500
/var/log/ipsec.log:2017:05:03-11:09:08 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17727: peer requested 432000 seconds which exceeds our limit 86400 seconds
/var/log/ipsec.log:2017:05:03-11:09:08 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17727: lifetime reduced to 86400 seconds (todo: IPSEC_RESPONDER_LIFETIME notification)
/var/log/ipsec.log:2017:05:03-11:09:09 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17727: NAT-Traversal: Result using RFC 3947: peer is NATed
/var/log/ipsec.log:2017:05:03-11:09:09 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17727: Peer ID is ID_USER_FQDN: 'VPNPHONE'
/var/log/ipsec.log:2017:05:03-11:09:09 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17727: sent MR3, ISAKMP SA established
/var/log/ipsec.log:2017:05:03-11:09:09 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17727: sending XAUTH request
/var/log/ipsec.log:2017:05:03-11:09:09 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17727: parsing XAUTH reply
/var/log/ipsec.log:2017:05:03-11:09:09 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17727: extended authentication was successful
/var/log/ipsec.log:2017:05:03-11:09:09 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17727: sending XAUTH status
/var/log/ipsec.log:2017:05:03-11:09:09 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17727: parsing XAUTH ack
/var/log/ipsec.log:2017:05:03-11:09:09 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17727: received XAUTH ack, established
/var/log/ipsec.log:2017:05:03-11:09:09 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17727: parsing ModeCfg request
/var/log/ipsec.log:2017:05:03-11:09:09 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17727: peer requested virtual IP 10.242.4.3
/var/log/ipsec.log:2017:05:03-11:09:09 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17727: assigning virtual IP 10.242.4.3 to peer
/var/log/ipsec.log:2017:05:03-11:09:09 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17727: sending ModeCfg reply
/var/log/ipsec.log:2017:05:03-11:09:09 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17727: sent ModeCfg reply, established
/var/log/ipsec.log:2017:05:03-11:09:10 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17727: ignoring informational payload, type IPSEC_INITIAL_CONTACT
/var/log/ipsec.log:2017:05:03-11:09:10 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17728: responding to Quick Mode
/var/log/ipsec.log:2017:05:03-11:09:10 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17728: IPsec SA established {ESP=>0x35a04ce9 <0xd4baf935 NATOA=0.0.0.0}
/var/log/ipsec.log:2017:05:03-11:09:17 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17726: ignoring informational payload, type INVALID_COOKIE
/var/log/ipsec.log:2017:05:03-11:09:37 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17726: ignoring informational payload, type INVALID_COOKIE
/var/log/ipsec.log:2017:05:03-11:10:17 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17726: max number of retransmissions (2) reached STATE_MAIN_R1
/var/log/ipsec.log:2017:05:03-11:11:10 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17743: responding to Main Mode from unknown peer xxx.x.xxx.xx:4500
/var/log/ipsec.log:2017:05:03-11:11:10 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17743: peer requested 432000 seconds which exceeds our limit 86400 seconds
/var/log/ipsec.log:2017:05:03-11:11:10 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17743: lifetime reduced to 86400 seconds (todo: IPSEC_RESPONDER_LIFETIME notification)
/var/log/ipsec.log:2017:05:03-11:11:11 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17743: NAT-Traversal: Result using RFC 3947: peer is NATed
/var/log/ipsec.log:2017:05:03-11:11:11 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17743: Peer ID is ID_USER_FQDN: 'VPNPHONE'
/var/log/ipsec.log:2017:05:03-11:11:11 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17743: sent MR3, ISAKMP SA established
/var/log/ipsec.log:2017:05:03-11:11:11 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17743: sending XAUTH request
/var/log/ipsec.log:2017:05:03-11:11:11 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17743: parsing XAUTH reply
/var/log/ipsec.log:2017:05:03-11:11:11 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17743: extended authentication was successful
/var/log/ipsec.log:2017:05:03-11:11:11 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17743: sending XAUTH status
/var/log/ipsec.log:2017:05:03-11:11:11 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17743: parsing XAUTH ack
/var/log/ipsec.log:2017:05:03-11:11:11 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17743: received XAUTH ack, established
/var/log/ipsec.log:2017:05:03-11:11:11 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17743: parsing ModeCfg request
/var/log/ipsec.log:2017:05:03-11:11:11 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17743: peer requested virtual IP 10.242.4.3
/var/log/ipsec.log:2017:05:03-11:11:11 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17743: assigning virtual IP 10.242.4.3 to peer
/var/log/ipsec.log:2017:05:03-11:11:11 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17743: sending ModeCfg reply
/var/log/ipsec.log:2017:05:03-11:11:11 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17743: sent ModeCfg reply, established
/var/log/ipsec.log:2017:05:03-11:11:12 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17743: ignoring informational payload, type IPSEC_INITIAL_CONTACT
/var/log/ipsec.log:2017:05:03-11:11:12 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17744: responding to Quick Mode
/var/log/ipsec.log:2017:05:03-11:11:12 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17744: IPsec SA established {ESP=>0xa68a1471 <0xed22d20b NATOA=0.0.0.0}
/var/log/ipsec.log:2017:05:03-11:14:14 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[46] yy.yy.yyy.yyy:4500 #17762: initiating Quick Mode ENCRYPT+TUNNEL+PFS+XAUTHPSK+XAUTHSERVER to replace #17418 {using isakmp#17417}
/var/log/ipsec.log:2017:05:03-11:14:14 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[46] yy.yy.yyy.yyy:4500 #17762: sent QI2, IPsec SA established {ESP=>0xc7c3fff0 <0x2a5e5e72 NATOA=0.0.0.0}
/var/log/ipsec.log:2017:05:03-11:15:10 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17769: responding to Main Mode from unknown peer xxx.x.xxx.xx:4500
/var/log/ipsec.log:2017:05:03-11:15:10 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17769: peer requested 432000 seconds which exceeds our limit 86400 seconds
/var/log/ipsec.log:2017:05:03-11:15:10 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17769: lifetime reduced to 86400 seconds (todo: IPSEC_RESPONDER_LIFETIME notification)
/var/log/ipsec.log:2017:05:03-11:15:11 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17769: NAT-Traversal: Result using RFC 3947: peer is NATed
/var/log/ipsec.log:2017:05:03-11:15:11 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17769: Peer ID is ID_USER_FQDN: 'VPNPHONE'
/var/log/ipsec.log:2017:05:03-11:15:11 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17769: sent MR3, ISAKMP SA established
/var/log/ipsec.log:2017:05:03-11:15:11 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17769: sending XAUTH request
/var/log/ipsec.log:2017:05:03-11:15:11 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17769: parsing XAUTH reply
/var/log/ipsec.log:2017:05:03-11:15:11 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17769: extended authentication was successful
/var/log/ipsec.log:2017:05:03-11:15:11 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17769: sending XAUTH status
/var/log/ipsec.log:2017:05:03-11:15:11 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17769: parsing XAUTH ack
/var/log/ipsec.log:2017:05:03-11:15:11 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17769: received XAUTH ack, established
/var/log/ipsec.log:2017:05:03-11:15:11 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17769: parsing ModeCfg request
/var/log/ipsec.log:2017:05:03-11:15:11 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17769: peer requested virtual IP 10.242.4.3
/var/log/ipsec.log:2017:05:03-11:15:11 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17769: assigning virtual IP 10.242.4.3 to peer
/var/log/ipsec.log:2017:05:03-11:15:11 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17769: sending ModeCfg reply
/var/log/ipsec.log:2017:05:03-11:15:11 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17769: sent ModeCfg reply, established
/var/log/ipsec.log:2017:05:03-11:15:12 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17769: ignoring informational payload, type IPSEC_INITIAL_CONTACT
/var/log/ipsec.log:2017:05:03-11:15:12 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17770: responding to Quick Mode
/var/log/ipsec.log:2017:05:03-11:15:13 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[29] xxx.x.xxx.xx:4500 #17770: IPsec SA established {ESP=>0x58b4a163 <0x281ae933 NATOA=0.0.0.0}
/var/log/ipsec.log:2017:05:03-11:18:44 usafirewall1-2[22520]: "D_REF_IpsRoaVpnphone_0"[46] yy.yy.yyy.yyy:4500 #17417: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xf4ea9139) not found (maybe expired)



This thread was automatically locked due to age.
Parents
  • 0

    Hi, Nick, and welcome to the UTM Community!

    A couple suggestions.  When obfuscating IPs, do something like 123.x.y.13 so that we can read the logs.  Instead of hundreds of lines from the log, try to show about 60 lines that should contain the information about the disconnection - no one is going to read through all of that to find the needle in the haystack.

    It sounds like the policies don't agree.  This may be an IPsec SA lifetime issue.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0

    Hi, Nick, and welcome to the UTM Community!

    A couple suggestions.  When obfuscating IPs, do something like 123.x.y.13 so that we can read the logs.  Instead of hundreds of lines from the log, try to show about 60 lines that should contain the information about the disconnection - no one is going to read through all of that to find the needle in the haystack.

    It sounds like the policies don't agree.  This may be an IPsec SA lifetime issue.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson

    Hey Bob,

     

    Thanks for the response. After looking at this some more it seems as though it has something to do with the NAT deleting itself.

     

    2017:05:07-10:12:48 usafw[22520]: | NAT-T: new mapping 123.2.15.62:2070/4500)
    2017:05:07-10:12:48 usafw[22520]: "D_REF_IpsRoaVpnphone_0"[189] 123.2.15.62:4500 #62394: Peer ID is ID_USER_FQDN: 'VPNPHONE'
    2017:05:07-10:12:48 usafw[22520]: "D_REF_IpsRoaVpnphone_0"[190] 123.2.15.62:4500 #62394: deleting connection "D_REF_IpsRoaVpnphone_0"[189] instance with peer 123.2.15.62 {isakmp=#0/ipsec=#0}

  • 0 in reply to Nick Pirog

    From that, we see that the connection is deleted, Nick, but we don't see what went before that caused this.  The thing that made me think you need to check the IPsec policy in the phone was the "peer requested 432000 seconds which exceeds our limit 86400 seconds" message.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML