IPSEC to cisco 2851 dropping

aislecom · March 20, 2013, 12:59am

I have an IPSEC connection to a cisco 2851 box. I am using RB1100AH. I have two servers on my side that talk to one sever on the cisco side.
The connection from the servers stay up for a short while and then it switches to only one. I have to reset the connection each time for both IPs to be able to reach the other side.

Cisco Settings:

Phase 1
Authentication Method
Encryption Scheme IKE
Diffie-Hellman Group Group 2
Encryption Algorithm DES
Hashing Algorithm MD5
Main or Aggressive Mode Main mode
Lifetime (for renegotiation) 86400s
Phase 2
Encapsulation (ESP or AH) ESP
Encryption Algorithm DES
Authentication Algorithm MD5
Perfect Forward Secrecy NO PFS
Lifetime (for renegotiation) 3600s
Lifesize in KB (for renegotiation) 4608000

See the logs below. My IP is represented as 1.1.1.1 and the cisco ip is represented by 3.3.3.3 below:

echo: ipsec,debug,packet sockname 1.1.1.1[500]
echo: ipsec,debug,packet send packet from 1.1.1.1[500]
echo: ipsec,debug,packet send packet to 2.2.2.2[500]
echo: ipsec,debug,packet src4 1.1.1.1[500]
echo: ipsec,debug,packet dst4 2.2.2.2[500]
echo: ipsec,debug,packet 1 times of 92 bytes message will be sent to 2.2.2.2[500]
echo: ipsec,debug,packet 1d4ca4ad 56e70262 69edb3f8 1a703cec 08100501 a422b30e 0000005c a0e47f37
echo: ipsec,debug,packet e32b3e5e 220cd99f 50d24270 29dda8c7 f529932e 8951ef37 909f18a9 212a3fc5
echo: ipsec,debug,packet e2508fc6 8f6b361e 1b846bc5 85977a9e 830d2732 21dc38fc a422b62f
echo: ipsec,debug,packet sendto Information notify.
echo: ipsec,debug,packet DPD R-U-There sent (0)
echo: ipsec,debug,packet rescheduling send_r_u (3).
[admin@MikroTik] >
(31 messages discarded)
echo: ipsec,debug,packet 25365e3a 00000020 00000001 01108d29 1d4ca4ad 56e70262 69edb3f8 1a703cec
echo: ipsec,debug,packet 0000098f
echo: ipsec,debug,packet hmac(hmac_sha1)
echo: ipsec,debug,packet HASH computed:
echo: ipsec,debug,packet 312f2609 a0d89d8a ecb5629a 715bd0e4 92f77eb2
echo: ipsec,debug,packet hash validated.
echo: ipsec,debug,packet begin.
echo: ipsec,debug,packet seen nptype=8(hash)
echo: ipsec,debug,packet seen nptype=11(notify)
echo: ipsec,debug,packet succeed.
echo: ipsec,debug,packet DPD R-U-There-Ack received
echo: ipsec,debug,packet received an R-U-THERE-ACK
[admin@MikroTik] >
(68 messages discarded)
echo: ipsec,debug,packet 84 bytes from 1.1.1.1[500] to 3.3.3.3[500]
echo: ipsec,debug,packet sockname 1.1.1.1[500]
echo: ipsec,debug,packet send packet from 1.1.1.1[500]
echo: ipsec,debug,packet send packet to 3.3.3.3[500]
echo: ipsec,debug,packet src4 1.1.1.1[500]
echo: ipsec,debug,packet dst4 3.3.3.3[500]
echo: ipsec,debug,packet 1 times of 84 bytes message will be sent to 3.3.3.3[500]
echo: ipsec,debug,packet 9abb5e46 474f3ad5 30b3660a 31873b17 08100501 d53ad213 00000054 b9411e65
echo: ipsec,debug,packet 8d71c544 1b7b1c1d 2e9ed61a 5a5925bc deeed88e 1ae7ba2f 7cd36c81 5d19cf18
echo: ipsec,debug,packet 12e80522 c7baca4d 48b654f5 888fbd5f a9dbaabd
echo: ipsec,debug,packet sendto Information notify.
echo: ipsec,debug,packet received a valid R-U-THERE, ACK sent
[admin@MikroTik] >
(28 messages discarded)
echo: ipsec,debug,packet sockname 1.1.1.1[500]
echo: ipsec,debug,packet send packet from 1.1.1.1[500]
echo: ipsec,debug,packet send packet to 2.2.2.2[500]
echo: ipsec,debug,packet src4 1.1.1.1[500]
echo: ipsec,debug,packet dst4 2.2.2.2[500]
echo: ipsec,debug,packet 1 times of 92 bytes message will be sent to 2.2.2.2[500]
echo: ipsec,debug,packet 1d4ca4ad 56e70262 69edb3f8 1a703cec 08100501 8802d9a3 0000005c c41cff1e
echo: ipsec,debug,packet 5afde921 a8a3b865 a5a3226d 27bb62f2 9353c618 0a6d91a4 f8a2e778 bc649324
echo: ipsec,debug,packet 9d154b3b 062d68cd 0d8fbbf5 ff70ca97 63298c95 0be692b8 7101139a
echo: ipsec,debug,packet sendto Information notify.
echo: ipsec,debug,packet DPD R-U-There sent (0)
echo: ipsec,debug,packet rescheduling send_r_u (3).
[admin@MikroTik] >
(31 messages discarded)
echo: ipsec,debug,packet 09217575 00000020 00000001 01108d29 1d4ca4ad 56e70262 69edb3f8 1a703cec
echo: ipsec,debug,packet 00000990
echo: ipsec,debug,packet hmac(hmac_sha1)
echo: ipsec,debug,packet HASH computed:
echo: ipsec,debug,packet bfe3d20e e2630db7 23249ad2 fa581a97 d17fee20
echo: ipsec,debug,packet hash validated.
echo: ipsec,debug,packet begin.
echo: ipsec,debug,packet seen nptype=8(hash)
echo: ipsec,debug,packet seen nptype=11(notify)
echo: ipsec,debug,packet succeed.
echo: ipsec,debug,packet DPD R-U-There-Ack received
echo: ipsec,debug,packet received an R-U-THERE-ACK
[admin@MikroTik] >
(68 messages discarded)
echo: ipsec,debug,packet 84 bytes from 1.1.1.1[500] to 3.3.3.3[500]
echo: ipsec,debug,packet sockname 1.1.1.1[500]
echo: ipsec,debug,packet send packet from 1.1.1.1[500]
echo: ipsec,debug,packet send packet to 3.3.3.3[500]
echo: ipsec,debug,packet src4 1.1.1.1[500]
echo: ipsec,debug,packet dst4 3.3.3.3[500]
echo: ipsec,debug,packet 1 times of 84 bytes message will be sent to 3.3.3.3[500]
echo: ipsec,debug,packet 9abb5e46 474f3ad5 30b3660a 31873b17 08100501 88a04b10 00000054 b26bf0d9
echo: ipsec,debug,packet 2442de0d 4c8f24fd 2f6e7c21 16894318 618ea5b6 6c3068fb 0b393b90 713e7c32
echo: ipsec,debug,packet 2cb5eda2 18061202 a5f3b696 be75ff49 bd106169
echo: ipsec,debug,packet sendto Information notify.
echo: ipsec,debug,packet received a valid R-U-THERE, ACK sent
[admin@MikroTik] >
(68 messages discarded)
echo: ipsec,debug,packet 84 bytes from 1.1.1.1[500] to 3.3.3.3[500]
echo: ipsec,debug,packet sockname 1.1.1.1[500]
echo: ipsec,debug,packet send packet from 1.1.1.1[500]
echo: ipsec,debug,packet send packet to 3.3.3.3[500]
echo: ipsec,debug,packet src4 1.1.1.1[500]
echo: ipsec,debug,packet dst4 3.3.3.3[500]
echo: ipsec,debug,packet 1 times of 84 bytes message will be sent to 3.3.3.3[500]
echo: ipsec,debug,packet 9abb5e46 474f3ad5 30b3660a 31873b17 08100501 f3a69f5d 00000054 3f1e7e34
echo: ipsec,debug,packet 9724a60a 4ab9a2ff 80fd145b bc6cfd6a 3750a563 3e1e3ebd 227a7518 ac837d37
echo: ipsec,debug,packet 0d16aad1 1aab994e da599fed 561d5d4c 8135bc6b
echo: ipsec,debug,packet sendto Information notify.
echo: ipsec,debug,packet received a valid R-U-THERE, ACK sent
[admin@MikroTik] >
(68 messages discarded)
echo: ipsec,debug,packet 84 bytes from 1.1.1.1[500] to 3.3.3.3[500]
echo: ipsec,debug,packet sockname 1.1.1.1[500]
echo: ipsec,debug,packet send packet from 1.1.1.1[500]
echo: ipsec,debug,packet send packet to 3.3.3.3[500]
echo: ipsec,debug,packet src4 1.1.1.1[500]
echo: ipsec,debug,packet dst4 3.3.3.3[500]
echo: ipsec,debug,packet 1 times of 84 bytes message will be sent to 3.3.3.3[500]
echo: ipsec,debug,packet 9abb5e46 474f3ad5 30b3660a 31873b17 08100501 bf69d8ba 00000054 2654d31d
echo: ipsec,debug,packet 19a444e7 2553d22a 5e6bb2e4 3fb0d207 7a8ecee5 de1a47b7 7b3b4a4e 6e1a3895
echo: ipsec,debug,packet 235a5e20 efa379f7 38906825 92e12071 6988575d
echo: ipsec,debug,packet sendto Information notify.
echo: ipsec,debug,packet received a valid R-U-THERE, ACK sent
[admin@MikroTik] >
(68 messages discarded)
echo: ipsec,debug,packet 84 bytes from 1.1.1.1[500] to 3.3.3.3[500]
echo: ipsec,debug,packet sockname 1.1.1.1[500]
echo: ipsec,debug,packet send packet from 1.1.1.1[500]
echo: ipsec,debug,packet send packet to 3.3.3.3[500]
echo: ipsec,debug,packet src4 1.1.1.1[500]
echo: ipsec,debug,packet dst4 3.3.3.3[500]
echo: ipsec,debug,packet 1 times of 84 bytes message will be sent to 3.3.3.3[500]
echo: ipsec,debug,packet 9abb5e46 474f3ad5 30b3660a 31873b17 08100501 dc7a6632 00000054 7348d23d
echo: ipsec,debug,packet f424fba5 05b13049 fa29f850 ead6590c 84bebe49 e8045f4d 3b572ca9 a40505f4
echo: ipsec,debug,packet d0db3612 c4348362 2df14399 7d791366 0ffc01e7
echo: ipsec,debug,packet sendto Information notify.
echo: ipsec,debug,packet received a valid R-U-THERE, ACK sent
[admin@MikroTik] >
(9 messages discarded)
echo: ntp,debug,packet Stratum=1 (Primary Reference)
echo: ntp,debug,packet Poll=0
echo: ntp,debug,packet Precision=-29
echo: ntp,debug,packet RootDelay=0
echo: ntp,debug,packet RootDispersion=0
echo: ntp,debug,packet ReferenceID=ACTS
echo: ntp,debug,packet ReferenceTimestamp=d4f384f57224c933
echo: ntp,debug,packet OriginateTimestamp=d4f
echo: ntp,debug,packet 384f646a619da
echo: ntp,debug,packet ReceiveTimestamp=d4f384f652686e13
echo: ntp,debug,packet TransmitTimestamp=d4f384f652692e3d
echo: ntp,debug gradually adjust by a89ac8
[admin@MikroTik] >
(71 messages discarded)
echo: ipsec,debug,packet ed7cdc4d 00000020 00000001 01108d29 1d4ca4ad 56e70262 69edb3f8 1a703cec
echo: ipsec,debug,packet 00000991
echo: ipsec,debug,packet hmac(hmac_sha1)
echo: ipsec,debug,packet HASH computed:
echo: ipsec,debug,packet aa8b19a5 8b1ae632 76936e0a a2e32144 48421494
echo: ipsec,debug,packet hash validated.
echo: ipsec,debug,packet begin.
echo: ipsec,debug,packet seen nptype=8(hash)
echo: ipsec,debug,packet seen nptype=11(notify)
echo: ipsec,debug,packet succeed.
echo: ipsec,debug,packet DPD R-U-There-Ack received
echo: ipsec,debug,packet received an R-U-THERE-ACK
[admin@MikroTik] >
(68 messages discarded)
echo: ipsec,debug,packet 84 bytes from 1.1.1.1[500] to 3.3.3.3[500]
echo: ipsec,debug,packet sockname 1.1.1.1[500]
echo: ipsec,debug,packet send packet from 1.1.1.1[500]
echo: ipsec,debug,packet send packet to 3.3.3.3[500]
echo: ipsec,debug,packet src4 1.1.1.1[500]
echo: ipsec,debug,packet dst4 3.3.3.3[500]
echo: ipsec,debug,packet 1 times of 84 bytes message will be sent to 3.3.3.3[500]
echo: ipsec,debug,packet 9abb5e46 474f3ad5 30b3660a 31873b17 08100501 e5407c0f 00000054 c68dbe98
echo: ipsec,debug,packet a76dd662 7211bf92 bcd92677 a5513d67 f96ccf5d 3f68df50 15f414fa a88ba41c
echo: ipsec,debug,packet 34ba8350 71a45adc fbccf6c2 188202f2 5c22ee91
echo: ipsec,debug,packet sendto Information notify.
echo: ipsec,debug,packet received a valid R-U-THERE, ACK sent
[admin@MikroTik] >
(68 messages discarded)
echo: ipsec,debug,packet 84 bytes from 1.1.1.1[500] to 3.3.3.3[500]
echo: ipsec,debug,packet sockname 1.1.1.1[500]
echo: ipsec,debug,packet send packet from 1.1.1.1[500]
echo: ipsec,debug,packet send packet to 3.3.3.3[500]
echo: ipsec,debug,packet src4 1.1.1.1[500]
echo: ipsec,debug,packet dst4 3.3.3.3[500]
echo: ipsec,debug,packet 1 times of 84 bytes message will be sent to 3.3.3.3[500]
echo: ipsec,debug,packet 9abb5e46 474f3ad5 30b3660a 31873b17 08100501 dd4396a0 00000054 feca3081
echo: ipsec,debug,packet 29b85443 edac026f 4e75048c e452eabb 91cbbcb6 c654376d 39ec467d 8eefe46e
echo: ipsec,debug,packet 28bf4388 20b94783 6c2feaf7 7ed8badd 24232722
echo: ipsec,debug,packet sendto Information notify.
echo: ipsec,debug,packet received a valid R-U-THERE, ACK sent
[admin@MikroTik] >
(68 messages discarded)
echo: ipsec,debug,packet 84 bytes from 1.1.1.1[500] to 3.3.3.3[500]
echo: ipsec,debug,packet sockname 1.1.1.1[500]
echo: ipsec,debug,packet send packet from 1.1.1.1[500]
echo: ipsec,debug,packet send packet to 3.3.3.3[500]
echo: ipsec,debug,packet src4 1.1.1.1[500]
echo: ipsec,debug,packet dst4 3.3.3.3[500]
echo: ipsec,debug,packet 1 times of 84 bytes message will be sent to 3.3.3.3[500]
echo: ipsec,debug,packet 9abb5e46 474f3ad5 30b3660a 31873b17 08100501 e48863e4 00000054 cb813715
echo: ipsec,debug,packet 2e6de34a a0d88359 15c55e99 f1ae60d6 26ca13da 2258c45a 89c0a418 42e86579
echo: ipsec,debug,packet 797a1170 50e79ca8 d2dcb8b6 3a9d4671 38347baa
echo: ipsec,debug,packet sendto Information notify.
echo: ipsec,debug,packet received a valid R-U-THERE, ACK sent
[admin@MikroTik] >
(71 messages discarded)
echo: ipsec,debug,packet 1b9290fd 00000020 00000001 01108d29 1d4ca4ad 56e70262 69edb3f8 1a703cec
echo: ipsec,debug,packet 00000992
echo: ipsec,debug,packet hmac(hmac_sha1)
echo: ipsec,debug,packet HASH computed:
echo: ipsec,debug,packet f850447b c49b6814 be961c48 8a68d2d7 c4ee7bf1
echo: ipsec,debug,packet hash validated.
echo: ipsec,debug,packet begin.
echo: ipsec,debug,packet seen nptype=8(hash)
echo: ipsec,debug,packet seen nptype=11(notify)
echo: ipsec,debug,packet succeed.
echo: ipsec,debug,packet DPD R-U-There-Ack received
echo: ipsec,debug,packet received an R-U-THERE-ACK
[admin@MikroTik] >
(68 messages discarded)
echo: ipsec,debug,packet 84 bytes from 1.1.1.1[500] to 3.3.3.3[500]
echo: ipsec,debug,packet sockname 1.1.1.1[500]
echo: ipsec,debug,packet send packet from 1.1.1.1[500]
echo: ipsec,debug,packet send packet to 3.3.3.3[500]
echo: ipsec,debug,packet src4 1.1.1.1[500]
echo: ipsec,debug,packet dst4 3.3.3.3[500]
echo: ipsec,debug,packet 1 times of 84 bytes message will be sent to 3.3.3.3[500]
echo: ipsec,debug,packet 9abb5e46 474f3ad5 30b3660a 31873b17 08100501 a9ebfbc4 00000054 87d91e8c
echo: ipsec,debug,packet 252cb940 dd93ab65 8d25831e 8ac49a40 4b0c2485 f1f82216 d1133e0d 1e32f638
echo: ipsec,debug,packet b7a6b6cc 68f0c98f dd08d8e3 fb44a930 ec69cc4f
echo: ipsec,debug,packet sendto Information notify.
echo: ipsec,debug,packet received a valid R-U-THERE, ACK sent
[admin@MikroTik] >
(68 messages discarded)
echo: ipsec,debug,packet 84 bytes from 1.1.1.1[500] to 3.3.3.3[500]
echo: ipsec,debug,packet sockname 1.1.1.1[500]
echo: ipsec,debug,packet send packet from 1.1.1.1[500]
echo: ipsec,debug,packet send packet to 3.3.3.3[500]
echo: ipsec,debug,packet src4 1.1.1.1[500]
echo: ipsec,debug,packet dst4 3.3.3.3[500]
echo: ipsec,debug,packet 1 times of 84 bytes message will be sent to 3.3.3.3[500]
echo: ipsec,debug,packet 9abb5e46 474f3ad5 30b3660a 31873b17 08100501 82ab380c 00000054 2d43f5e3
echo: ipsec,debug,packet 5649a362 f3d91298 43be96f4 7e3f0c4b bab55183 4ffdf42d 1813062f 260a7822
echo: ipsec,debug,packet 67f3177c 9f26822f fda7cd45 c29ec816 38dbfefa
echo: ipsec,debug,packet sendto Information notify.
echo: ipsec,debug,packet received a valid R-U-THERE, ACK sent
[admin@MikroTik] >
(68 messages discarded)
echo: ipsec,debug,packet 84 bytes from 1.1.1.1[500] to 3.3.3.3[500]
echo: ipsec,debug,packet sockname 1.1.1.1[500]
echo: ipsec,debug,packet send packet from 1.1.1.1[500]
echo: ipsec,debug,packet send packet to 3.3.3.3[500]
echo: ipsec,debug,packet src4 1.1.1.1[500]
echo: ipsec,debug,packet dst4 3.3.3.3[500]
echo: ipsec,debug,packet 1 times of 84 bytes message will be sent to 3.3.3.3[500]
echo: ipsec,debug,packet 9abb5e46 474f3ad5 30b3660a 31873b17 08100501 f047d5dc 00000054 091d3a2d
echo: ipsec,debug,packet 22b35969 b5d78a66 06a34d03 390bb5fb 00c1493c a7264623 7a78a003 1f10911d
echo: ipsec,debug,packet 4a8a15e1 f08989f5 2242f060 5425d0dd 13b91403
echo: ipsec,debug,packet sendto Information notify.
echo: ipsec,debug,packet received a valid R-U-THERE, ACK sent
[admin@MikroTik] >
(71 messages discarded)
echo: ipsec,debug,packet 38e86a40 00000020 00000001 01108d29 1d4ca4ad 56e70262 69edb3f8 1a703cec
echo: ipsec,debug,packet 00000993
echo: ipsec,debug,packet hmac(hmac_sha1)
echo: ipsec,debug,packet HASH computed:
echo: ipsec,debug,packet 3311f0fe 29323d16 330db68d 7d93d046 1dd0d7bd
echo: ipsec,debug,packet hash validated.
echo: ipsec,debug,packet begin.
echo: ipsec,debug,packet seen nptype=8(hash)
echo: ipsec,debug,packet seen nptype=11(notify)
echo: ipsec,debug,packet succeed.
echo: ipsec,debug,packet DPD R-U-There-Ack received
echo: ipsec,debug,packet received an R-U-THERE-ACK
[admin@MikroTik] >
(68 messages discarded)
echo: ipsec,debug,packet 84 bytes from 1.1.1.1[500] to 3.3.3.3[500]
echo: ipsec,debug,packet sockname 1.1.1.1[500]
echo: ipsec,debug,packet send packet from 1.1.1.1[500]
echo: ipsec,debug,packet send packet to 3.3.3.3[500]
echo: ipsec,debug,packet src4 1.1.1.1[500]
echo: ipsec,debug,packet dst4 3.3.3.3[500]
echo: ipsec,debug,packet 1 times of 84 bytes message will be sent to 3.3.3.3[500]
echo: ipsec,debug,packet 9abb5e46 474f3ad5 30b3660a 31873b17 08100501 9aa34fed 00000054 827d3398
echo: ipsec,debug,packet 0ac73d3d e0f6653d 3fae1bd4 0cc2cf0d c1169823 bae04065 9a90b832 6b29d5e0
echo: ipsec,debug,packet d04c48b2 bc63882c aa5ca236 4e8a9712 412f4b94
echo: ipsec,debug,packet sendto Information notify.
echo: ipsec,debug,packet received a valid R-U-THERE, ACK sent
[admin@MikroTik] >

Dave

aislecom · March 26, 2013, 3:15pm

Solve thanks to Maris

When connecting to cisco router, policies should be set to level=unique

Dave