2 Replies Latest reply on Nov 7, 2011 9:59 AM by firedupbng

    Site-site VPN won't re-connect after one site's IP changed

      We changed our office ISP earlier this week, and with it our external IP. Afterwards, the site-to-site VPN will not reconnect even though the settings on both firewalls have all (as far as I know) been updated to the new IP.

       

      One is the Sidewinder G2 running firmware v70100, the other is a Cisco PIX 501. The IP was changed for the PIX.

       

      Some of the debug/errors showing up in the Sidewinder VPN audit log, for the "ikmpd" command and facility "isakmp_daemon":

       

      [inbound packet]   [SA]     [PROPOSAL #1]       protocol: IKE(1)      [TRANSFORM #1]         tran_id: IKE(1)        [attributes]           ENCRYPT:3DES, HASH:MD5, GROUP:2, AUTH_METHOD:PRE_SHARED_KEY,           LIFE:SECONDS, DURATION:|00015180|  [VENDOR_ID]     vendor_id: NATT_DRAFT3  [VENDOR_ID]     vendor_id: NATT_DRAFT2A

       

      [outbound packet]   [NONE]     CKY_I: |0bbd2f5c89728234|, CKY_R: |de531e8423961fa8|, exch: MAIN_MODE(2),     mess_id: 0  [SA]     [PROPOSAL #1]       protocol: IKE(1)      [TRANSFORM #1]         tran_id: IKE(1)        [attributes]           AUTH_METHOD:PRE_SHARED_KEY, HASH:MD5, ENCRYPT:3DES, GROUP:2,           LIFE:SECONDS, DURATION:|00015180|  [VENDOR_ID]     vendor_id: SIDEWINDER  [VENDOR_ID]     vendor_id: SW_V_7_0

       

      Message timed out for MAIN_MODE negotiation in state: SA_SETUP... retransmitting

       

      [detailed info]   [error]     MAIN_MODE exchange processing failed  [info]     received duplicate packet for MAIN_MODE exchange in state: SA_SETUP, packet dropped[MAIN_MODE]   VPN: !DYNAMIC!, CKY_I: |0bbd2f5c89728234|, CKY_R: |de531e8423961fa8|  [state info]     init/resp: RESPONDER, condition: LARVAL  [retry info]     counter: 2, num_trans: 2, total_time: 9, total_deviation: 3,     timestamp_out: 1320433638, timestamp_in: 1320433629  [local gateway] IPV4_ADDR-xxx.xxx.xxx.xxx:500  [remote gateway] IPV4_ADDR-yyy.yyy.yyy.yyy:500  [exchange policy]     protocol: IKE, options: [FORCED_REKEY|INITIAL_CONTACT], version: 1,     local authentication: PRE_SHARED_KEY,     remote authentication: PRE_SHARED_KEY, encryption: 3DES, integ: MD5,     DH group: 2  [IKE info]     allocations: 0    [local identity]       IPV4_ADDR-xxx.xxx.xxx.xxx    vendor ids: NATT_DRAFT3|NATT_DRAFT2A    [chosen proposal]       protocol: IKE        protocol: IKE, options: [FORCED_REKEY|INITIAL_CONTACT], version: 1,         local authentication: PRE_SHARED_KEY,         remote authentication: PRE_SHARED_KEY, encryption: 3DES, integ: MD5,         DH group: 2

       

      [detailed info]   [info]     MAIN_MODE exchange terminated - MAIN_MODE negotiation timed out (retransmission threshold reached)[MAIN_MODE]   VPN: !DYNAMIC!, CKY_I: |0bbd2f5c89728234|, CKY_R: |de531e8423961fa8|  [state info]     init/resp: [idential content to previous error]

       

       

      So it seems the two firewalls can see each other at the PIX's new IP, but they can't agree on a "MAIN_MODE" exchange.

       

      The PIX's gateway and subnet mask changed too, but I found no network objects, rules or other setting in the Sidewinder config that used these old values.

       

      I did re-enter the pre-shared key on both firewalls.

       

      Any ideas?

       

      Thanks

        • 1. Re: Site-site VPN won't re-connect after one site's IP changed
          PhilM
          MAIN_MODE exchange terminated - MAIN_MODE negotiation timed out (retransmission threshold reached)

           

          When I've seen that message I've always took it to mean that Sidewinder is trying, but the other end isn't answering.

           

          If you run a tcpdump on the Sidewinder's external interface for port 500 traffic, do you see bi-directional traffic?

           

          The only other observation I'd make is that you are missing a couple of fairly important patches. While it may not have affected you up until now, I'd patch it up to 7.0.1.02 (though there's now a 7.0.1.03 patch release as of a couple of weeks ago).

           

          Message was edited by: PhilM on 07/11/11 12:42:52 GMT
          • 2. Re: Site-site VPN won't re-connect after one site's IP changed

            Thanks for the suggestion, I didn't get as far as doing a tcpdump to verify bi-directional traffic, but I tried re-creating the VPN config from scratch on the PIX firewall. The first attempt failed, but from the errors that generated I found the appropriate commands to update the crypto map for the new IP, and the IPSEC tunnel is working again.