[vpn-help] Stalled Connections

Michael Ragusa michael.ragusa at ai.net
Thu Mar 16 05:49:26 CST 2006 

Ive just tested beta9 and like beta8, ssh and telnet sessions seem to 
stall out after 30 mins or so but with beta9 a constant ping stream is 
able to stay alive. only way to regain the ssh and telnet connection is 
to close them out and reopen them which happens with no problem.

ive examined my log files and ive noticed several things
Mar 15 12:19:26 lance kernel: IPv4 ESP input: no key association found 
for spi 6 7083578
Mar 15 12:19:26 lance kernel: IPv4 ESP input: no key association found 
for spi 8 9710687

2006-03-15 12:19:15: INFO: respond new phase 1 negotiation: 
205.134.160.6[500]<=>205.134.160.254[500]
2006-03-15 12:19:15: INFO: begin Aggressive mode.
2006-03-15 12:19:15: INFO: received Vendor ID: CISCO-UNITY
2006-03-15 12:19:15: INFO: received Vendor ID: RFC 3947
2006-03-15 12:19:15: INFO: received broken Microsoft ID: FRAGMENTATION
2006-03-15 12:19:15: INFO: Selected NAT-T version: RFC 3947
2006-03-15 12:19:15: INFO: Adding remote and local NAT-D payloads.
2006-03-15 12:19:15: INFO: Hashing 205.134.160.254[500] with algo #1
2006-03-15 12:19:15: INFO: Hashing 205.134.160.6[500] with algo #1
2006-03-15 12:19:15: INFO: NAT not detected
2006-03-15 12:19:15: WARNING: unable to get certificate CRL(3) at 
depth:0 SubjectName:/C=US/ST=Maryland/L=Beltsville/O=AiNET/OU=vpn 
clients/CN=AiNET VPN Server/emailAddress=michael.ragusa at ai.net
2006-03-15 12:19:15: WARNING: unable to get certificate CRL(3) at 
depth:1 SubjectName:/C=US/ST=Maryland/L=Beltsville/O=AiNET/OU=vpn 
clients/CN=AiNET VPN CA/emailAddress=michael.ragusa at ai.net
2006-03-15 12:19:15: INFO: ISAKMP-SA established 
205.134.160.6[500]-205.134.160.254[500] 
spi:cfffe4888eda4f93:736cb8c6120d9517
2006-03-15 12:19:15: INFO: Using port 0
2006-03-15 12:19:25: INFO: respond new phase 2 negotiation: 
205.134.160.6[500]<=>205.134.160.254[500]
2006-03-15 12:19:25: INFO: no policy found, try to generate the policy : 
10.246.37.1/32[0] 10.246.38.0/24[0] proto=any dir=in
2006-03-15 12:19:25: INFO: IPsec-SA established: ESP/Tunnel 
205.134.160.254[0]->205.134.160.6[0] spi=67083578(0x3ff9d3a)
2006-03-15 12:19:25: INFO: IPsec-SA established: ESP/Tunnel 
205.134.160.6[0]->205.134.160.254[0] spi=470638116(0x1c0d5e24)
2006-03-15 12:19:25: ERROR: such policy does not already exist: 
"10.246.37.1/32[0] 10.246.38.0/24[0] proto=any dir=in"
2006-03-15 12:19:25: ERROR: such policy does not already exist: 
"10.246.38.0/24[0] 10.246.37.1/32[0] proto=any dir=out"
2006-03-15 12:19:26: INFO: respond new phase 2 negotiation: 
205.134.160.6[500]<=>205.134.160.254[500]
2006-03-15 12:19:26: INFO: Update the generated policy : 
10.246.37.1/32[0] 10.246.38.0/24[0] proto=any dir=in
2006-03-15 12:19:26: INFO: IPsec-SA established: ESP/Tunnel 
205.134.160.254[0]->205.134.160.6[0] spi=89710687(0x558e05f)
2006-03-15 12:19:26: INFO: IPsec-SA established: ESP/Tunnel 
205.134.160.6[0]->205.134.160.254[0] spi=994440598(0x3b45f596)
2006-03-15 12:19:26: ERROR: such policy does not already exist: 
"10.246.37.1/32[0] 10.246.38.0/24[0] proto=any dir=in"
2006-03-15 12:19:26: ERROR: such policy does not already exist: 
"10.246.38.0/24[0] 10.246.37.1/32[0] proto=any dir=out"
2006-03-15 17:44:56: ERROR: delete payload with strange spi size 
4(proto_id:1)
2006-03-15 17:44:56: ERROR: delete payload with strange spi size 
4(proto_id:1)
2006-03-15 17:44:56: INFO: purging ISAKMP-SA 
spi=cfffe4888eda4f93:736cb8c6120d9517:0000aed6.
2006-03-15 17:44:56: INFO: purged ISAKMP-SA 
spi=cfffe4888eda4f93:736cb8c6120d9517:0000aed6.
2006-03-15 17:44:57: INFO: ISAKMP-SA deleted 
205.134.160.6[500]-205.134.160.254[500] 
spi:cfffe4888eda4f93:736cb8c6120d9517
2006-03-15 17:44:57: INFO: Released port 0


-> : send ESP packet to 205.134.160.6 ( 92 bytes )
<- : recv ESP packet from 205.134.160.6 ( 92 bytes )
DB : ipsec peer found
DB : phase2 sa found
<= : decrypt esp packet ( 64 bytes )
ii : client control connection closed
ii : client recv thread exit ...
ii : deleted vnet device 'ROOT\VNET\0000'
DB : config deleted
DB : phase2 sa deleted before being marked as dead
DB : ipsec peer found
DB : phase1 sa found
 >> : hash payload
 >> : notification payload
== : new informational hash ( 16 bytes )
== : new phase2 iv ( 8 bytes )
 >= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 64 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet to 205.134.160.6:500 ( 68 bytes )
ii : rebuilding interface list ...
ii : interface IP=205.134.160.254, MTU=1500 active
ii : 1 adapter(s) active
II | sent peer SA DELETE message
II | 205.134.160.254 -> 205.134.160.6
II | isakmp spi = 0x03ff9d3a
DB : phase2 sa deleted before being marked as dead
DB : ipsec peer found
DB : phase1 sa found
 >> : hash payload
 >> : notification payload
== : new informational hash ( 16 bytes )
== : new phase2 iv ( 8 bytes )
 >= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 64 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet to 205.134.160.6:500 ( 68 bytes )
II | sent peer SA DELETE message
II | 205.134.160.254 -> 205.134.160.6
II | isakmp spi = 0x0558e05f
DB : phase1 sa deleted before being marked as dead
DB : ipsec peer found
 >> : hash payload
 >> : notification payload
== : new informational hash ( 16 bytes )
== : new phase2 iv ( 8 bytes )
 >= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 76 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet to 205.134.160.6:500 ( 76 bytes )
II | sent peer SA DELETE message
II | 205.134.160.254 -> 205.134.160.6
II | isakmp spi = cfffe4888eda4f93:736cb8c6120d9517
DB : tunnel deleted
ii : client ctrl thread exit ...


any ideas?

More information about the vpn-help mailing list