Date: Wed, 11 Apr 2012 22:42:18 -0400 > From: Kevin VPN <[email protected]> > Subject: Re: [vpn-help] Problem with Phase 2 SA lifetime rekeying > between ShrewSoft 2.1.7 and Cisco IOS > To: [email protected] > Message-ID: <[email protected]> > Content-Type: text/plain; charset="ISO-8859-1"; format=flowed > > On 04/11/2012 12:28 PM, Mark A. Sibert wrote: > > Has anyone figured out the cause of this problem and/or a solution to it? > > > > My connection drops briefly every 48 minutes. It appears it's the > > same issue as described here - the SA expires and Shrew does > > re-establish the connection automatically, but traffic stops for maybe > > 30 seconds during the process. Long enough to terminate the > > connections for some of the programs I'm running. > > > > Cisco AnyConnect works fine, but doesn't allow me to do split > > tunneling like Shrew does. I'm running 2.2.0-beta-2. > > > > Thanks! > > > > - Mark > > > > > > On Mon, 21 Mar 2011 02:25:51 +0200 > > "Nikolaj Griscenko"<n.griscenko at gmail.com> wrote: > > > >> > >> I have encountered a problem I can't solve. The connection between > >> shrewsoft 2.1.7 client (Win 7 x64) and Cisco 2811 router (12.4.(3g) > >> IOS) is established normally and traffic passes ok, but when phase 2 > >> security association life-time expires - shrewsoft can't renegotiate > >> a new SA with Cisco and former SA is deleted. I checked the SA > >> parameter both on Cisco and Shrewsoft and tried different SA values, > >> but no luck. I also attach my trace files. What could be the problem? > >> Could it be a software bug? Thanks. > >> > > > > Hi Nikolaj, > > > > I looked at your ike trace and it does look like the Phase 2 > > re-negotiation is failing. I can see a bunch of phase2 resends: > > > > 11/03/21 01:50:21 -> : resend 1 phase2 packet(s) 192.168.0.125:4500 -> > > X.X.X.X:4500 > > 11/03/21 01:50:21 -> : resend 1 phase2 packet(s) 192.168.0.125:4500 -> > > X.X.X.X:4500 > > 11/03/21 01:50:26 -> : resend 1 phase2 packet(s) 192.168.0.125:4500 -> > > X.X.X.X:4500 > > 11/03/21 01:50:26 -> : resend 1 phase2 packet(s) 192.168.0.125:4500 -> > > X.X.X.X:4500 > > > > Unfortunately, the log doesn't suggest (to me at least) any reason why > > the phase2 packets aren't going through. If you checked that the Phase > > 2 SA lifetime parameter was the same in the Shrew client and the Cisco, > > Phase 2 re-negotiation should occur many times because your Phase 1 > > lifetime is 86400 seconds (vs 300 seconds for Phase 2). > > > > Perhaps someone with more experience with Cisco can help? I know > > there's some settings regarding Cisco compatible vendor IDs, but I > > don't know what they do. > > > > Hi Mark, > > My observation of Shrew's behaviour is that it actually tries to setup a > new SA *before* the old one expires. If you look in the Trace Utility > at the SA tab close the the expiry time, you may find that there's two > SAs, the old one with status DYING and a new one. > > I've sometimes seen that one end of the tunnel switches to the new SA > before the other end, so you end up with a strange situation of bytes in > one direction using one SA and bytes in the other direction using the > other SA. > > Perhaps there is a problem with this process. Either the Cisco does not > allow two concurrent SAs, so Shrew has to wait until the first SA has > completely died before starting the re-negotiation, or the Cisco balks > at the "split-SA" condition and drops packets that Shrew sends over the > new SA before the Cisco has switched to it? > >
I agree with your observation. Shrew appears to be setting up a new SA before the old one expires, which seems like a reasonable thing to do. There's definitely something weird going on with the transition to the new SA, though. As far as I can tell, Cisco Anyconnect doesn't have a trace utility that can be used to compare the behavior. I've played around with a bunch of the configuration settings, none of which helped. - Mark
_______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
