Hi Matthew,
Could You please help me a little bit?
I stuck creating Dialup VPN with SRX220 cluster. Phase 1 and 2 goes fine, and
after a few successful SA key change the connection broken.
It seems that our Shrew client tries to reauthenticate the already logged in
user and loses the SA after that. See the log from SRX220 below.
Do You have any thoughts about this?
Thank You and best,
Tamas Uracs
1.1.1.1: Shrew 2.1.7
2.2.2.2: SRX 220 cluster
Feb 1 15:29:53 ike_sa_find_half: Not found half SA = { 3f42e50f 80cd21b2 -
00000000 00000000 }
Feb 1 15:29:53 ike_get_sa: Invalid cookie, no sa found, SA = { 3f42e50f
80cd21b2 - 7775a279 0f399152 } / 5f0f7631, remote = 1.1.1.1:2726
Feb 1 15:29:53 unknown (unknown) <-> unknown { unknown [unknown] / unknown }
unknown; Packet to unknown Isakmp SA, ip = 1.1.1.1:2726
Feb 1 15:29:56 ike_retransmit_callback: Start, retransmit SA = { e745b337
b7895475 - 8ede6b29 1a2b4c81}, nego = 2
Feb 1 15:29:56 ike_retransmit_callback: Isakmp SA has been marked as deleted
Feb 1 15:29:56 2.2.2.2:0 (Initiator) <-> 1.1.1.1:2726 { e745b337 b7895475 -
8ede6b29 1a2b4c81 [2] / 0x3b22e311 } CFG; Error = Timeout (8197)
Feb 1 15:29:56 ike_send_notify: Private notification, do not send notification
Feb 1 15:29:56 ike_delete_negotiation: Start, SA = { e745b337 b7895475 -
8ede6b29 1a2b4c81}, nego = 2
Feb 1 15:29:56 ike_free_negotiation_cfg: Start, nego = 2
Feb 1 15:29:56 ike_free_negotiation: Start, nego = 2
Feb 1 15:30:04 ike_state_restart_packet: Start, restart packet SA = { 1b1eb4a5
3c38975e - cff216d1 79bfcefb}, nego = 1
Feb 1 15:30:04 ike_st_o_qm_done: Quick Mode negotiation done
Feb 1 15:30:04 ike_send_notify: Connected, SA = { 1b1eb4a5 3c38975e - cff216d1
79bfcefb}, nego = 1
Feb 1 15:30:04 ike_delete_negotiation: Start, SA = { 1b1eb4a5 3c38975e -
cff216d1 79bfcefb}, nego = 1
Feb 1 15:30:04 ike_free_negotiation_qm: Start, nego = 1
Feb 1 15:30:04 ike_free_negotiation: Start, nego = 1
Feb 1 15:30:04 ike_free_id_payload: Start, id type = 4
Feb 1 15:30:04 ike_free_id_payload: Start, id type = 4
Feb 1 15:30:04 ike_free_id_payload: Start, id type = 4
Feb 1 15:30:04 ike_free_id_payload: Start, id type = 4
Feb 1 15:30:08 ike_get_sa: Start, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152
} / 5f30985a, remote = 1.1.1.1:2726
Feb 1 15:30:08 ike_sa_find_half: Not found half SA = { 3f42e50f 80cd21b2 -
00000000 00000000 }
Feb 1 15:30:08 ike_get_sa: Invalid cookie, no sa found, SA = { 3f42e50f
80cd21b2 - 7775a279 0f399152 } / 5f30985a, remote = 1.1.1.1:2726
Feb 1 15:30:08 unknown (unknown) <-> unknown { unknown [unknown] / unknown }
unknown; Packet to unknown Isakmp SA, ip = 1.1.1.1:2726
Feb 1 15:30:12 ike_get_sa: Start, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152
} / a6525a3e, remote = 1.1.1.1:2726
Feb 1 15:30:12 ike_sa_find_half: Not found half SA = { 3f42e50f 80cd21b2 -
00000000 00000000 }
Feb 1 15:30:12 ike_get_sa: Invalid cookie, no sa found, SA = { 3f42e50f
80cd21b2 - 7775a279 0f399152 } / a6525a3e, remote = 1.1.1.1:2726
Feb 1 15:30:12 unknown (unknown) <-> unknown { unknown [unknown] / unknown }
unknown; Packet to unknown Isakmp SA, ip = 1.1.1.1:2726
Feb 1 15:30:15 ike_get_sa: Start, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152
} / 622d9826, remote = 1.1.1.1:2726
Feb 1 15:30:15 ike_sa_find_half: Not found half SA = { 3f42e50f 80cd21b2 -
00000000 00000000 }
Feb 1 15:30:15 ike_get_sa: Invalid cookie, no sa found, SA = { 3f42e50f
80cd21b2 - 7775a279 0f399152 } / 622d9826, remote = 1.1.1.1:2726
Feb 1 15:30:15 unknown (unknown) <-> unknown { unknown [unknown] / unknown }
unknown; Packet to unknown Isakmp SA, ip = 1.1.1.1:2726
Feb 1 15:30:16 ike_state_restart_packet: Start, restart packet SA = { 3f42e50f
80cd21b2 - 7775a279 0f399152}, nego = 0
Feb 1 15:30:16 ike_st_o_cfg_done: CFG negotiation done
Feb 1 15:30:16 ike_send_notify: Connected, SA = { 3f42e50f 80cd21b2 - 7775a279
0f399152}, nego = 0
Feb 1 15:30:16 ike_delete_negotiation: Start, SA = { 3f42e50f 80cd21b2 -
7775a279 0f399152}, nego = 0
Feb 1 15:30:16 ike_free_negotiation_cfg: Start, nego = 0
Feb 1 15:30:16 ike_free_negotiation: Start, nego = 0
Feb 1 15:30:17 Deleted (spi=894670796, protocol=ESP dst=2.2.2.2) entry from
the peer hash table
Feb 1 15:30:17 Deleted (spi=894670796, protocol=ESP dst=2.2.2.2) entry from
the dynamic sa spi hash table
Feb 1 15:30:17 jnp_ike_connect_delete: Start, remote_name = 1.1.1.1:2726,
flags = 00010000
Feb 1 15:30:17 jnp_ike_create_delete_internal: Start, remote_name =
1.1.1.1:2726, flags = 00010000
Feb 1 15:30:17 jnp_ike_create_delete_internal: No isakmp sa found and connect
flags require it
Feb 1 15:30:17 Not route based VPN. Not deleting NHTB entry
Feb 1 15:30:17 In iked_ipsec_sa_pair_delete Deleting GENCFG msg with key;
Tunnel = 133955647;SPI-In = 894670796
Feb 1 15:30:17 Deleted SA pair for tunnel = 133955647 with SPI-In = 894670796
to kernel
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help
