5 Replies Latest reply on May 10, 2012 8:48 AM by PhilM

    VPN tunnel site-to-site won't establish connection

      Hi,

            We are currently trying to establish a VPN connection from one site to another. We are both using MFE version 7 and below are the errors encountered.

       

      VPN SETUP:

      Mode: Fixed IP

      IKE v1

      Encapsulation: Tunnel

      Remote Authentication: password

      IPSEC Enryption: aes256, aes128,cast128,3des,des

      IPSEC Algorithms: sha1, md5

       

      LOGS:

       

      May  9 16:22:41 2012 PHT  f_isakmp_daemon a_vpn t_info p_major

      pid: 2179 ruid: 0 euid: 0 pgid: 2179 logid: 0 cmd: 'ikmpd'

      domain: ikpd edomain: ikpd hostname: sitedomain

      vpn_name: site1 cky_i: 3dbd62a5c0de0b33 cky_r: 0000000000000000

      msg_id: 4e51a519 spi: 00000000 local_gw: xxx.xxx.xxx.xxx

      remote_gw: xxx.xxx.xxx.xxx local_net: xxx.xxx.xxx.xxx/xx

      remote_net: xxx.xxx.xxx.xxx/xx

      information: [detailed info]

        [info]

          QUICK_MODE exchange terminated - IKE SA terminated

       

       

      May  9 16:22:41 2012 PHT  f_isakmp_daemon a_vpn t_info p_major

      pid: 2179 ruid: 0 euid: 0 pgid: 2179 logid: 0 cmd: 'ikmpd'

      domain: ikpd edomain: ikpd hostname: site1domain

      vpn_name: site1 cky_i: 3dbd62a5c0de0b33 cky_r: 0000000000000000

      local_gw: xxx.xxx.xxx.xxx/xx remote_gw: xxx.xxx.xxx.xxx/xx

      information: [detailed info]

        [info]

          MAIN_MODE exchange terminated - MAIN_MODE negotiation timed out (retransmission threshold reached)

        • 1. Re: VPN tunnel site-to-site won't establish connection
          PhilM

          The last of the log entries is the most telling to me.

           

          "retransmission threshold reached" generally translates to "I tried, but I didn't get an answer from the other end". This can normally be confirmed by running a tcpdump on the external interface for UDP port 500 traffic - you'll see it leaving your site, but without any evidence of a response.

           

          So, personally, I would focus my attention to the MFE appliance at the other end of the link. Either is doesn't have an ISAKMP rule in place, the rule is present but is conflicting with another rule trying to use UDP port 500 traffic or the ISP router is blocking/filtering out this traffic.

           

          A tcpdump on this other Firewall will help because you can determine whether the UDP port 500 traffic from your end of the connection is actually reaching the remote firewall in the first place. If it does, then the ISP blocking/filtering scenario can be ruled out.

           

          Hope that helps you to start the investigation.

           

          -Phil.

          • 2. Re: VPN tunnel site-to-site won't establish connection

            Hi,

                Both firewalls can ping each other. The ISAKMP server rule is on the top rule. We also configured both firewall with exactly the same configuration as below.

             

            VPN SETUP:

            Mode: Fixed IP

            IKE v2

            Encapsulation: Tunnel

            Mode: MAIN MODE

            Remote Authentication: password

            IPSEC Enryption: aes256

            IPSEC Algorithms: sha1

             

             

                                                        

            May 10 18:05:29 2012 PHT  f_isakmp_daemon a_vpn t_info p_major

            pid: 2335 ruid: 0 euid: 0 pgid: 2335 logid: 0 cmd: 'ikmpd'

            domain: ikpd edomain: ikpd hostname: domain.local

            vpn_name: name of vpn local_gw: xxx.xxx.xxx.xxx

            remote_gw: xxx.xxx.xxx.xxx

            information: Session creation -

            [session details]

              vpn_name: name of VPN, state: ALIVE, flags: INITIAL_CONTACT

              [local gateway] IPV4_ADDR-xxx.xxx.xxx.xxx:500

              [remote gateway] IPV4_ADDR-xxx.xxx.xxx.xxx:500

              [phase1 config]

                vpn: VPN name position: 1

                [policy]

                  exchange: SA_INIT, protocol: IKE, options: [INITIAL_CONTACT], version: 2,

                  local authentication: PRE_SHARED_KEY,

                  remote authentication: PRE_SHARED_KEY,

                  encryption: DES|3DES|AES:128|AES:256, prf: HMAC_MD5|HMAC_SHA1,

                  integ: MD5|SHA1, DH group: 1|2|5

              [phase2 config]

                vpn: VPN nameposition: 1

                [policy]

                  protocol: ESP, burb: 2, version: 2, encryption: AES:256, integ: SHA1,

                  ESN: OFF, encapsulation: TUNNEL

             

                     

             

             

             

            May 10 18:07:46 2012 PHT  f_isakmp_daemon a_vpn t_error p_major

            pid: 2335 ruid: 0 euid: 0 pgid: 2335 logid: 0 cmd: 'ikmpd'

            domain: ikpd edomain: ikpd hostname: domain.local

            cky_i: 8039e694e6378936 cky_r: 0000000000000000 local_gw: xxx.xxx.xxx.xxx

            remote_gw: xxx.xxx.xxx.xxx

            information: [detailed info]

              [error]

                SA_INIT exchange processing failed

             

                   

             

             

            May 10 18:03:33 2012 PHT  f_isakmp_daemon a_vpn t_info p_major

            pid: 2335 ruid: 0 euid: 0 pgid: 2335 logid: 0 cmd: 'ikmpd'

            domain: ikpd edomain: ikpd hostname: domain.local

            vpn_name: name of vpn cky_i: b39a515940fa92ea cky_r: 0000000000000000

            local_gw: xxx.xxx.xxx.xxx remote_gw: xxx.xxx.xxx.xxx

            information: [detailed info]

              [info]

                SA_INIT exchange terminated - SA_INIT negotiation timed out (retransmission threshold reached)

             

             

            May 10 18:03:33 2012 PHT  f_isakmp_daemon a_vpn t_info p_major

            pid: 2335 ruid: 0 euid: 0 pgid: 2335 logid: 0 cmd: 'ikmpd'

            domain: ikpd edomain: ikpd hostname: domain.local

            vpn_name: name of vpn cky_i: b39a515940fa92ea cky_r: 0000000000000000

            msg_id: ffffffff spi: 00000000 local_gw: xxx.xxx.xxx.xxx

            remote_gw: xxx.xxx.xxx.xxx local_net: xxx.xxx.xxx.xxx/16

            remote_net: xxx.xxx.xxx.xxx/24

            information: [detailed info]

              [info]

                CREATE_CHILD exchange terminated - IKE SA terminated

            • 3. Re: VPN tunnel site-to-site won't establish connection
              PhilM

              The fact that you can ping both Firewalls (external/public IP addresses, I assume) is a good start.

               

              The tcpdump exercise will at least prove that the udp/500 traffic is flowing between the two Firewalls.

               

              The first audit record shows the initiation phase of the connection, but the second record indicates that there is something wrong between the two definitions (SA_INIT exchange processing failed).

               

              Either look at the audit on the other Firewall when this happens and/or edit the properties of the "isakmp" service so that it runs in either verbose or debug mode. This may well reveal more about why it is failing.

               

              Certainly it looks as though there is a slight difference between the definitions on each Firewall - enough for the initial contact phase to fail.

               

              -Phil.

              • 4. Re: VPN tunnel site-to-site won't establish connection

                Hi,

                    We have another firewall on the other country that has no problem with VPN and have exactly the same config as the one that is having a problem. We already look into the configuration of ISAKMP service application but it has the same configuration on both ends. Actually we have 5 MFE on 4 countries. Lets say that  2 of the firewall is in Thailand with the same ISP and and one of the firewall is in Vietnam. The connection in firewall 1 in Thailand successfully connects to firewall in Vietnam but we decided to move the connection to firewall 2 in thailand to connect to firewall in vietnam that's when the problem occurs.

                • 5. Re: VPN tunnel site-to-site won't establish connection
                  PhilM

                  This is where the tcpdump tool is going to be of most use to you.

                   

                  I agree - if you have VPNs already in place between other Firewalls there shouldn't be a problem. Running the tcpdump test on the firewalls you are trying to get to work will prove whether the udp/500 traffic is actually making it to each site (and back again). If it is not then your problem may lie elsewhere (traffic being filtered by the ISP, for example).

                   

                  One tip which I was taught when I was first trained on this product back in 2001 is when you reach a stage where a VPN will not start up and you can't see any reason why it shouldn't, write down all the settings for the definition, delete the definition, and re-create it. On more than one occasion this has worked for me and proved that I probably typed something wrong in the first place (even though my eyes couldn't see it).

                   

                  Failing that, I would recommend that you raise a ticket with McAfee support and they can help you directly.

                   

                  -Phil.