1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

unknown (expired?) SA ??

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by emsbronco, Aug 29, 2005.

  1. emsbronco

    emsbronco Network Guru Member

    I have a main office with an RV042 and 2 VPN tunnels active. Both go to BEFSX41 routers on the other endpoints. This configuration was working for about a month and a half when all of a sudden one VPN tunnel stopped passing traffic.
    All 3 devices report successful connections. Here is my basic settings for that VPN tunnel:

    Static IP
    IKE with PreShared Key
    3600 seconds (for both phase 1 and 2 SA lifetime)
    DES/MD5/1

    The other tunnel has a dynamic IP on the remote end and is working properly.

    The pertinent log entries are:
    Aug 28 20:14:26 2005 VPN Log [Tunnel Negotiation Info] >>> Initiator send Quick Mode 1st packet
    Aug 28 20:14:28 2005 VPN Log [Tunnel Negotiation Info] <<< Initiator Received Quick Mode 2nd packet
    Aug 28 20:14:28 2005 VPN Log [Tunnel Negotiation Info] Inbound SPI value = dd400a7e
    Aug 28 20:14:28 2005 VPN Log [Tunnel Negotiation Info] Outbound SPI value = 87753834
    Aug 28 20:14:28 2005 VPN Log [Tunnel Negotiation Info] >>> Initiator Send Quick Mode 3rd packet
    Aug 28 20:14:28 2005 VPN Log [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
    Aug 28 20:14:28 2005 VPN Log Informational Exchange is for an unknown (expired?) SA

    What does this unknown (expired?) SA message mean and why is it occurring now after the tunnel has been active for over a month and a half?

    Oh, I did reboot both devices to try to reset the configuration and I can disconnect and reconnect until I'm blue in the face, but I always get the same message.
     
  2. duomenox

    duomenox Network Guru Member

    You cannot have the Phase 1 and Phase 2 Life Times the same. In some hardware, both the P1 and P2 counters start at the same time.

    Try the default settings of P1 = 3600sec and P2=28800 and see if that works for you.

    Also, I know the RV042 allows you to pick different groups and encryption types for the 2 phases. Try to make both Phase 1 and Phase 2 exactly the same (except the life times) on your RV042 and the other router (if they aren't already).

    Has the firmware been upgraded recently... on either router?

    I had an issue where the firmware was upgraded and I had to delete both tunnels and re-create them for them to continue working.

    Just some thoughts, hope they help.
     

Share This Page