[vpn-help] Timeouts?

Matthew Grooms mgrooms at shrew.net
Fri Jul 30 00:54:31 CDT 2010


On 7/28/2010 9:35 PM, kevin shrew-vpn wrote:
> On Wed, 28 Jul 2010 20:41:44 -0500
> Matthew Grooms<mgrooms at shrew.net>  wrote:
>
>>>
>>> Is assigning a new IP normal/permitted? Or is this a sign that I
>>> haven't quite got the configs right between the client and gateway?
>>>
>>> For what it's worth, the client is only able to connect if it is
>>> set to 'ike config pull'.
>>
>> Hmmm. Odd that it would assign a different address after an ISAKMP SA
>> renegotiation. A replacement SA is required when the original
>> expires. Depending on the gateway, this involves another Xauth and an
>> additional modecfg negotiation as well. What kind of gateway do you
>> use?
>>
>
> Hi Matthew, the gateway in question is an Aruba wireless controller.
> I'll send you some logs in a direct email.
>

Hi Kevin,

I had a look at the logs you sent me. Although I'm not that familiar 
with Aruba products or deciphering their log output, I assume the .43 
through .46 addresses are the ones being assigned to the client virtual 
adapter interface via modecfg. However, there is no additional request 
for a virtual address past the initial phase1 negotiation. Why the 
router would assume a new address should be allocated for the client is 
beyond my comprehension. If the user had a session open of any kind, it 
would die since the adapter would have to be re-assigned a new address. 
There is a way to request a specific address using modecfg, assuming the 
Aruba gateway requires this after phase1 renegotiation. However, since 
the gateway allocated the new address before modecfg would occur, I 
don't see any way the client could be modified to correct the issue you 
are experiencing.

Have you spoken to Aruba support about this?

-Matthew



More information about the vpn-help mailing list