[vpn-help] please help with SRX220

Tue Feb 1 09:51:59 CST 2011

Hi Matthew,

Could You please help me a little bit?
I stuck creating Dialup VPN with SRX220 cluster. Phase 1 and 2 goes fine, and after a few successful SA key change the connection broken.
It seems that our Shrew client tries to reauthenticate the already logged in user and loses the SA after that. See the log from SRX220 below.
Do You have any thoughts about this?

Thank You and best,

Tamas Uracs

1.1.1.1: Shrew 2.1.7
2.2.2.2: SRX 220 cluster

Feb  1 15:29:53 ike_sa_find_half: Not found half SA = { 3f42e50f 80cd21b2 - 00000000 00000000 }
Feb  1 15:29:53 ike_get_sa: Invalid cookie, no sa found, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152 } / 5f0f7631, remote = 1.1.1.1:2726
Feb  1 15:29:53 unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 1.1.1.1:2726
Feb  1 15:29:56 ike_retransmit_callback: Start, retransmit SA = { e745b337 b7895475 - 8ede6b29 1a2b4c81}, nego = 2
Feb  1 15:29:56 ike_retransmit_callback: Isakmp SA has been marked as deleted
Feb  1 15:29:56 2.2.2.2:0 (Initiator) <-> 1.1.1.1:2726 { e745b337 b7895475 - 8ede6b29 1a2b4c81 [2] / 0x3b22e311 } CFG; Error = Timeout (8197)
Feb  1 15:29:56 ike_send_notify: Private notification, do not send notification
Feb  1 15:29:56 ike_delete_negotiation: Start, SA = { e745b337 b7895475 - 8ede6b29 1a2b4c81}, nego = 2
Feb  1 15:29:56 ike_free_negotiation_cfg: Start, nego = 2
Feb  1 15:29:56 ike_free_negotiation: Start, nego = 2
Feb  1 15:30:04 ike_state_restart_packet: Start, restart packet SA = { 1b1eb4a5 3c38975e - cff216d1 79bfcefb}, nego = 1
Feb  1 15:30:04 ike_st_o_qm_done: Quick Mode negotiation done
Feb  1 15:30:04 ike_send_notify: Connected, SA = { 1b1eb4a5 3c38975e - cff216d1 79bfcefb}, nego = 1
Feb  1 15:30:04 ike_delete_negotiation: Start, SA = { 1b1eb4a5 3c38975e - cff216d1 79bfcefb}, nego = 1
Feb  1 15:30:04 ike_free_negotiation_qm: Start, nego = 1
Feb  1 15:30:04 ike_free_negotiation: Start, nego = 1
Feb  1 15:30:04 ike_free_id_payload: Start, id type = 4
Feb  1 15:30:04 ike_free_id_payload: Start, id type = 4
Feb  1 15:30:04 ike_free_id_payload: Start, id type = 4
Feb  1 15:30:04 ike_free_id_payload: Start, id type = 4
Feb  1 15:30:08 ike_get_sa: Start, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152 } / 5f30985a, remote = 1.1.1.1:2726
Feb  1 15:30:08 ike_sa_find_half: Not found half SA = { 3f42e50f 80cd21b2 - 00000000 00000000 }
Feb  1 15:30:08 ike_get_sa: Invalid cookie, no sa found, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152 } / 5f30985a, remote = 1.1.1.1:2726
Feb  1 15:30:08 unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 1.1.1.1:2726
Feb  1 15:30:12 ike_get_sa: Start, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152 } / a6525a3e, remote = 1.1.1.1:2726
Feb  1 15:30:12 ike_sa_find_half: Not found half SA = { 3f42e50f 80cd21b2 - 00000000 00000000 }
Feb  1 15:30:12 ike_get_sa: Invalid cookie, no sa found, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152 } / a6525a3e, remote = 1.1.1.1:2726
Feb  1 15:30:12 unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 1.1.1.1:2726
Feb  1 15:30:15 ike_get_sa: Start, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152 } / 622d9826, remote = 1.1.1.1:2726
Feb  1 15:30:15 ike_sa_find_half: Not found half SA = { 3f42e50f 80cd21b2 - 00000000 00000000 }
Feb  1 15:30:15 ike_get_sa: Invalid cookie, no sa found, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152 } / 622d9826, remote = 1.1.1.1:2726
Feb  1 15:30:15 unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 1.1.1.1:2726
Feb  1 15:30:16 ike_state_restart_packet: Start, restart packet SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152}, nego = 0
Feb  1 15:30:16 ike_st_o_cfg_done: CFG negotiation done
Feb  1 15:30:16 ike_send_notify: Connected, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152}, nego = 0
Feb  1 15:30:16 ike_delete_negotiation: Start, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152}, nego = 0
Feb  1 15:30:16 ike_free_negotiation_cfg: Start, nego = 0
Feb  1 15:30:16 ike_free_negotiation: Start, nego = 0
Feb  1 15:30:17 Deleted (spi=894670796, protocol=ESP dst=2.2.2.2) entry from the peer hash table
Feb  1 15:30:17 Deleted (spi=894670796, protocol=ESP dst=2.2.2.2) entry from the dynamic sa spi hash table
Feb  1 15:30:17 jnp_ike_connect_delete: Start, remote_name = 1.1.1.1:2726, flags = 00010000
Feb  1 15:30:17 jnp_ike_create_delete_internal: Start, remote_name = 1.1.1.1:2726, flags = 00010000
Feb  1 15:30:17 jnp_ike_create_delete_internal: No isakmp sa found and connect flags require it
Feb  1 15:30:17 Not route based VPN. Not deleting NHTB entry
Feb  1 15:30:17 In iked_ipsec_sa_pair_delete Deleting GENCFG msg with key; Tunnel = 133955647;SPI-In = 894670796

Feb  1 15:30:17 Deleted SA pair for tunnel = 133955647 with SPI-In = 894670796 to kernel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110201/6f64cc5b/attachment-0001.html>