1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

RV082 > RV082 & BEFVP41 VPN drops every 5 minutes

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by chimpo, Jul 8, 2006.

  1. chimpo

    chimpo LI Guru Member

    I have a main office with VPN links to two houses and both tunnels drop the connection about every 5 minutes with the following error in the log.

    Informational Exchange is for an unknown (expired?) SA

    I don't really know what this means...

    All using the same ISP (Nildram UK) and on 8Mbps down/800kbps upload with fixed IP addresses DSL connections

    The main office has an RV082 and then one of the houses has another RV082 (My house) and the other a BEFVP41.

    The VPN connections are used for backup, email (Through exchange server) and importantly connection to a VOIP PBX

    Now before I bought the RV082, I had a Netgear router in the office and two VP41's.
    These worked fine most of the time, but the netgear had a bug that would make it lock up on certain HTTP websites and the VP41's about once a week would both totally lock up needing to be unplugged from the power socket. (Which is annoying as one is in a loft)

    Anyway, I have the tunnels connected gateway to gateway, PFS 3DES/MD5 group 1
    Keep alive yes, (I've tried main mode and aggressive)
    I have played around with the Phase2 SA Life Time from 3600 to 28800
    MTU is manually set to 1500 (tried 1200 on the advice of linksys, though my ISP says 1500)
    WAN port 2 is disabled
    Firmware Version: 1.3.2

    I've spoken to Linksys support, but all they seem to want to do is swap out the units, and I don't see how this will solve the problem when both the RV082's seem to have the same problems.

    They were purchased about 2 months apart from two different suppliers, so I doubt it is a batch fault.
    The other thing they have both started doing is the same as the VP41's eg ....randomly locking up 2/3 times a week with only web access still working from the LAN side and no VPN/DHCP or web interface until a power off/on.

    Can somebody please help I am ripping my hair out in search of a solution?
    I did notice that somebody had posted with a similar error message, but nobody gave a reply....
     
  2. Toxic

    Toxic Administrator Staff Member

    Found one instance on the net of the same type error, he put it down to "i had a STUPID static route with old information that prevented my pc from seeing it work."

    do you have any static routes that are old or not correct perhaps?

    does the VPN log give more info on routes and IP addresses?
     
  3. chimpo

    chimpo LI Guru Member

    I am not using any static routes and haven't used any.
    It must be something I am doing wrong or something to do with my ISP or ADSL modems (Westell 6100's, similar to the Linksys ADSL2UE thing)

    I'm sure it's something simple, apart from this and the random lock ups I love the product.
     
  4. Toxic

    Toxic Administrator Staff Member

    adsl modems should use less than 1500 for mtu.

    I would advise using SG TCP Optimizer http://www.speedguide.net/files/TCPOptimizer.exe

    run the Largest MTU tool. most adsl afaik use 1492 i think. though i dont know if this would adversly effect your lockups etc.

    im sure once YeOldeStonecat see this he will know the answer:)
     
  5. chimpo

    chimpo LI Guru Member

    SAMPLE LOG from the remote RV082::::

    Jul 8 21:43:58 2006 VPN Log Informational Exchange is for an unknown (expired?) SA
    Jul 8 21:43:58 2006 VPN Log Initiating Main Mode
    Jul 8 21:43:58 2006 VPN Log [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
    Jul 8 21:44:08 2006 VPN Log [Tunnel Negotiation Info] <<< Initiator Received Main Mode 2nd packet
    Jul 8 21:44:08 2006 VPN Log [Tunnel Negotiation Info] >>> Initiator send Main Mode 3rd packet
    Jul 8 21:44:08 2006 VPN Log Phase 1 message is part of an unknown exchange
    Jul 8 21:44:08 2006 VPN Log [Tunnel Negotiation Info] <<< Initiator Received Main Mode 4th packet
    Jul 8 21:44:08 2006 VPN Log [Tunnel Negotiation Info] >>> Initiator Send Main Mode 5th packet
    Jul 8 21:44:08 2006 VPN Log [Tunnel Negotiation Info] >>> Initiator Receive Main Mode 6th packet
    Jul 8 21:44:08 2006 VPN Log Main mode peer ID is ID_IPV4_ADDR: '82.133.XXX.XXX'
    Jul 8 21:44:08 2006 VPN Log [Tunnel Negotiation Info] Main Mode Phase 1 SA Established
    Jul 8 21:44:08 2006 VPN Log [Tunnel Negotiation Info] Initiator Cookies = 264e 21f 3e7c 9841
    Jul 8 21:44:08 2006 VPN Log [Tunnel Negotiation Info] Responder Cookies = 6131 43ca 5be7 bbc2
    Jul 8 21:44:08 2006 VPN Log initiating Quick Mode PSK+TUNNEL+PFS
    Jul 8 21:44:08 2006 VPN Log [Tunnel Negotiation Info] >>> Initiator send Quick Mode 1st packet
    Jul 8 21:44:08 2006 VPN Log [Tunnel Negotiation Info] <<< Initiator Received Quick Mode 2nd packet
    Jul 8 21:44:08 2006 VPN Log [Tunnel Negotiation Info] Inbound SPI value = 8712d868
    Jul 8 21:44:08 2006 VPN Log [Tunnel Negotiation Info] Outbound SPI value = a7d27550
    Jul 8 21:44:08 2006 VPN Log [Tunnel Negotiation Info] >>> Initiator Send Quick Mode 3rd packet
    Jul 8 21:44:08 2006 VPN Log [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
    Jul 8 21:48:20 2006 VPN Log Informational Exchange is for an unknown (expired?) SA



    SAMPLE LOG from main office RV082



    Jul 8 21:43:57 2006 VPN Log received Delete SA payload: deleting IPSEC State #973
    Jul 8 21:43:57 2006 Connection Accepted UDP 84.12.XXX.XXX:500->82.133.XXX.XXX:500 on ixp1
    Jul 8 21:43:57 2006 VPN Log received Delete SA payload: deleting ISAKMP State #972
    Jul 8 21:43:57 2006 VPN Log [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet
    Jul 8 21:43:57 2006 VPN Log [Tunnel Negotiation Info] >>> Responder Send Main Mode 2nd packet
    Jul 8 21:44:07 2006 VPN Log [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet
    Jul 8 21:44:07 2006 VPN Log [Tunnel Negotiation Info] >>> Responder Send Main Mode 2nd packet
    Jul 8 21:44:08 2006 VPN Log [Tunnel Negotiation Info] <<< Responder Received Main Mode 3rd packet
    Jul 8 21:44:08 2006 VPN Log [Tunnel Negotiation Info] >>> Responder send Main Mode 4th packet
    Jul 8 21:44:08 2006 VPN Log [Tunnel Negotiation Info] <<< Responder Received Main Mode 5th packet
    Jul 8 21:44:08 2006 VPN Log Main mode peer ID is ID_IPV4_ADDR: '84.12.XXX.XXX'
    Jul 8 21:44:08 2006 VPN Log [Tunnel Negotiation Info] >>> Responder Send Main Mode 6th packet
    Jul 8 21:44:08 2006 VPN Log [Tunnel Negotiation Info] Main Mode Phase 1 SA Established
    Jul 8 21:44:08 2006 VPN Log [Tunnel Negotiation Info] Initiator Cookies = 264e 21f 3e7c 9841
    Jul 8 21:44:08 2006 VPN Log [Tunnel Negotiation Info] Responder Cookies = 6131 43ca 5be7 bbc2
    Jul 8 21:44:08 2006 VPN Log [Tunnel Negotiation Info] <<< Responder Received Quick Mode 1st packet
    Jul 8 21:44:08 2006 VPN Log [Tunnel Negotiation Info] Inbound SPI value = a7d27550
    Jul 8 21:44:08 2006 VPN Log [Tunnel Negotiation Info] Outbound SPI value = 8712d868
    Jul 8 21:44:08 2006 VPN Log [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet
    Jul 8 21:44:08 2006 VPN Log [Tunnel Negotiation Info] <<< Responder Received Quick Mode 3rd packet
    Jul 8 21:44:08 2006 VPN Log [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
    Jul 8 21:48:19 2006 VPN Log received Delete SA payload: deleting IPSEC State #976
    Jul 8 21:48:19 2006 Connection Accepted UDP 84.12.XXX.XXX:500->82.133.XXX.XXX:500 on ixp1
     
  6. Toxic

    Toxic Administrator Staff Member

  7. chimpo

    chimpo LI Guru Member

    Thanks for the advice, I've checked the MTU with that tool at both ends and it says "1500" is ok, though I have tried 1492 as well and no joy.

    I've currently got it setup as per routerworld setup 1 and I've tried pretty much changing every option at both ends and it still drops the connection for about 5-10 seconds, every 5 minutes.
    Maybe I do have a hardware fault on one of the routers, pretty strange fault though.

    The internet connection is rock solid though, that never stops working and downloads are unaffected, only the VPN dies. (Which I think pretty much rules out the modem and ISP)

    If I try to continuously ping an outside site (Say BBC.co.uk, then it's fine, but a VPN machine, it dies every 5 mins)
     
  8. Toxic

    Toxic Administrator Staff Member

    do both vpn endpoints (not the office router) drop connections? if so this would point to the office router being the weak link, since you have two different routers outside of the office.

    have you reset the routers at all? i know sometimes a reset will fix some issue, how ever you this would require the setting up of the router again.

    I know you say the adsl lines are fine, but it maybe worth geting BT to check the office one for any problems.
     
  9. Toxic

    Toxic Administrator Staff Member

    You may also want to test your house RV082 with the BEFVP41 over VPN to see where or not connections die.
     
  10. chimpo

    chimpo LI Guru Member

    Both endpoints lose the connection, only the endpoint with a RV082 seems to show any problems in the log though.... which is curious.

    I thought about swapping the two RV082's around to see what happened, but it's a pain in the A.
    Guess I will have to as there seems to be nothing obviously wrong with the setup.

    I don't think there is a problem with the line because with different hardware the connection is solid for hours at a time (Though the netgear VPN router I have randomly locks, every week or so)

    The best connection I had was with 2 BEFVP41's (the first VPN tunnel I had) but one of them died and had to be swapped out by linksys.
    This prompted me to buy the Netgear (as it had dial backup) though not only did the dial backup not work properly (Never returned back to the wan port once on dial backup) but also locked up about once a week and would totally lock up on some websites visited by LAN clients eg NME.COMs

    Ah beer :drinking: suddenly router problems seem not so important :drinking:
    But they will in the morning :cry:
     
  11. Toxic

    Toxic Administrator Staff Member

    from a websource on the net

    "One of the two ends restarted/rebooted/crashed, and the other end was not aware and is still using the old agreed upon SA."

    I am now wondering is your RV082 fault somehow. everytime the connection dropps the router maybe crashing or locking up. then the SA has expired. but one end thinks it is still valid.
     
  12. Gaspiore

    Gaspiore Guest

    Problem With Rv082 And Befpv41 Vpn Connections..

    A FEW DAYS AGO.. MY VPN BETWEEN TWO BEFPV41 WORKS FINE, BUT RIGHT NOW I HAVE A PROBLEM WITH RV082 AND BEFPV41 VPN CONECTIONS.. LOG IN RV082 SAIDS,..

    Mar 17 21:18:52 2008 VPN Log [Tunnel Negotiation Info] <<< Responder Received Aggressive Mode 1st packet
    Mar 17 21:18:52 2008 VPN Log Initial Aggressive Mode message from xxx.xxx.xxx.xxx but no (wildcard) connection has been configured

    AND BEFPV41 SAIDS..

    2008-03-17 21:19:33 IKE[1] Tx >> AG_I1 : xxx.xx.xx.xxx SA, KE, Nonce, ID

    PLEASE HELP.... THNKSSSS ALL...
     

Share This Page