On 04/11/2012 12:28 PM, Mark A. Sibert wrote:
Has anyone figured out the cause of this problem and/or a solution to it?
My connection drops briefly every 48 minutes. It appears it's the
same issue as described here - the SA expires and Shrew does
re-establish the connection automatically, but traffic stops for maybe
30 seconds during the process. Long enough to terminate the
connections for some of the programs I'm running.
Cisco AnyConnect works fine, but doesn't allow me to do split
tunneling like Shrew does. I'm running 2.2.0-beta-2.
Thanks!
- Mark
On Mon, 21 Mar 2011 02:25:51 +0200
"Nikolaj Griscenko"<n.griscenko at gmail.com> wrote:
I have encountered a problem I can't solve. The connection between
shrewsoft 2.1.7 client (Win 7 x64) and Cisco 2811 router (12.4.(3g)
IOS) is established normally and traffic passes ok, but when phase 2
security association life-time expires - shrewsoft can't renegotiate
a new SA with Cisco and former SA is deleted. I checked the SA
parameter both on Cisco and Shrewsoft and tried different SA values,
but no luck. I also attach my trace files. What could be the problem?
Could it be a software bug? Thanks.
Hi Nikolaj,
I looked at your ike trace and it does look like the Phase 2
re-negotiation is failing. I can see a bunch of phase2 resends:
11/03/21 01:50:21 -> : resend 1 phase2 packet(s) 192.168.0.125:4500 ->
X.X.X.X:4500
11/03/21 01:50:21 -> : resend 1 phase2 packet(s) 192.168.0.125:4500 ->
X.X.X.X:4500
11/03/21 01:50:26 -> : resend 1 phase2 packet(s) 192.168.0.125:4500 ->
X.X.X.X:4500
11/03/21 01:50:26 -> : resend 1 phase2 packet(s) 192.168.0.125:4500 ->
X.X.X.X:4500
Unfortunately, the log doesn't suggest (to me at least) any reason why
the phase2 packets aren't going through. If you checked that the Phase
2 SA lifetime parameter was the same in the Shrew client and the Cisco,
Phase 2 re-negotiation should occur many times because your Phase 1
lifetime is 86400 seconds (vs 300 seconds for Phase 2).
Perhaps someone with more experience with Cisco can help? I know
there's some settings regarding Cisco compatible vendor IDs, but I
don't know what they do.
Hi Mark,
My observation of Shrew's behaviour is that it actually tries to setup a
new SA *before* the old one expires. If you look in the Trace Utility
at the SA tab close the the expiry time, you may find that there's two
SAs, the old one with status DYING and a new one.
I've sometimes seen that one end of the tunnel switches to the new SA
before the other end, so you end up with a strange situation of bytes in
one direction using one SA and bytes in the other direction using the
other SA.
Perhaps there is a problem with this process. Either the Cisco does not
allow two concurrent SAs, so Shrew has to wait until the first SA has
completely died before starting the re-negotiation, or the Cisco balks
at the "split-SA" condition and drops packets that Shrew sends over the
new SA before the Cisco has switched to it?
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help
