[ previous ] [ next ] [ threads ]
 From:  "Todd D. Volz" <todd at stir dot org>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPsec VPN to Cisco ASA
 Date:  Tue, 22 Apr 2008 15:09:52 -0500 (CDT)
----- "Dave Lee" wrote: 
> Hi Everybody, 
> I have version 1.231 running on a 600MHz PC with 
> 4 IPsec tunnels: two to other m0n0walls and one to 
> a Cisco 3030 and one to a Cisco ASA. The first three 
> tunnels have been working perfectly for about a year. 
> The tunnel to the Cisco ASA however is new and is 
> giving me the following problem: 
> Racoon establishes the SA and opens the tunnel to 
> the Cisco ASA without any problems. The tunnel 
> will remain operable, timing out and establishing 
> a new SAs without trouble. But if heavy traffic 
> is pushed through it, after about 50 to 200 MB, the 
> tunnel eventually closes up. 
> Once the tunnel closes I can't get it to reopen. 
> Attempts to ping through the tunnel are recorded on 
> the firewall logs but there is no resonse from racoon. 
> If I delete the SA for the tunnel and then ping through 
> it raccoon resonds with : 
> racoon: INFO: initiate new phase 2 negotiation:[0]<=>[0] 
> racoon: ERROR: give up to get IPsec-SA due to time up to wait. 
> The only way to get the tunnel working again is to disable and enable IPsec 
> or just reboot m0n0Wall entirely. 
> Has anybody experienced a problem like this? Is there a 
> system dump command that I should use to glean more detailed 
> information when the tunnel has closed up? 
> I have plenty of log information if anybody is interested. 
> Thanks for looking at this posting, 
> -Dave 
> -- 
> --------------------------------------------------------------------- 
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch 
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch 

Try the latest version, 1.3b11 and see if that fixes the problem. There was an update in this last
beta release that no prefers newer rather than older SAs. Save your existing configuration, and then
upgrade so you can backout if you have other problems. 

(Check the release notes for 1.3b11 for the details.)