[vpn-help] SAs expire immediately, connecting to Juniper SSG via Shrew

Kevin VPN kvpn at live.com
Thu Dec 1 21:15:25 CST 2011


On 11/21/2011 05:05 PM, Tim Keane wrote:
> Kevin VPN<kvpn at ...>  writes:
>>
>> Double-check your Phase 2, proxy and/or policy settings to be sure they
>> are the same on both the client and gateway.
>>
>
> I've double-checked them, and I can't find any discrepancy.  If I watch the
> Security Associations tab of the VPN Trace utility, I see two mature SAs
> momentarily displayed.  The logs of the Juniper seem to indicate that it's happy
> with the completion of the VPN tunnel as well.  I think my phase2 parameters
> have to match, because the tunnel is up for a moment.
>
> Any help with this would be much appreciated.  It's currently holding up our VPN
> rollout, because I'd much rather get Shrew working than pay NCP's exhorbitant
> prices for a client.  Thanks for anyone's help with this!
>
>
> Here is the part of the log in question:
>
...
> 11/11/21 16:25:27<- : recv IKE packet 1.2.3.8:500 ->  1.2.3.112:500 ( 76 bytes )
> 11/11/21 16:25:27 DB : phase1 found
> 11/11/21 16:25:27 ii : processing phase2 packet ( 76 bytes )
> 11/11/21 16:25:27 DB : phase2 found
> 11/11/21 16:25:27 !! : phase2 packet ignored, resending last packet ( phase2
> already mature )
> 11/11/21 16:25:27 ->  : resend 1 phase2 packet(s) [0/2] 1.2.3.112:500 ->
> 1.2.3.8:500
> 11/11/21 16:25:27<- : recv IKE packet 1.2.3.8:500 ->  1.2.3.112:500 ( 76 bytes )
> 11/11/21 16:25:27 DB : phase1 found
> 11/11/21 16:25:27 ii : processing phase2 packet ( 76 bytes )
> 11/11/21 16:25:27 DB : phase2 found
> 11/11/21 16:25:27 !! : phase2 packet ignored, resending last packet ( phase2
> already mature )
> 11/11/21 16:25:27 ->  : resend 1 phase2 packet(s) [1/2] 1.2.3.112:500 ->
> 1.2.3.8:500
> 11/11/21 16:25:27<- : recv IKE packet 1.2.3.8:500 ->  1.2.3.112:500 ( 76 bytes )
> 11/11/21 16:25:27 DB : phase1 found
> 11/11/21 16:25:27 ii : processing phase2 packet ( 76 bytes )
> 11/11/21 16:25:27 DB : phase2 found
> 11/11/21 16:25:27 !! : phase2 packet ignored, resending last packet ( phase2
> already mature )
> 11/11/21 16:25:27 ->  : resend 1 phase2 packet(s) [2/2] 1.2.3.112:500 ->
> 1.2.3.8:500
> 11/11/21 16:25:27 K<  : recv pfkey UPDATE ESP message
> 11/11/21 16:25:27<- : recv IKE packet 1.2.3.8:500 ->  1.2.3.112:500 ( 76 bytes )
> 11/11/21 16:25:27 DB : phase1 found
> 11/11/21 16:25:27 ii : processing phase2 packet ( 76 bytes )
> 11/11/21 16:25:27 DB : phase2 found
> 11/11/21 16:25:27 !! : phase2 packet ignored, resending last packet ( phase2
> already mature )
> 11/11/21 16:25:27 ii : resend limit exceeded for phase2 exchange
> 11/11/21 16:25:27 DB : phase2 soft event canceled ( ref count = 2 )
> 11/11/21 16:25:27 DB : phase2 hard event canceled ( ref count = 1 )
> 11/11/21 16:25:27 DB : phase1 found
> 11/11/21 16:25:27 ii : sending peer DELETE message
>

This phase2 loop suggests to me that something still isn't right with 
phase2.

You say you're using Juniper and can see the logs.  Does it report a 
"completed negotiations" message in the event log?  It will list the the 
lifetime so you can see if it matches what Shrew reports.

There's also a 'debug ike' command you can run at the CLI that may also 
shed some light on things.



More information about the vpn-help mailing list