I have a client with an IPSec tunnel that keeps loosing the tunnel when it ties to re-key the security association. Every time without fail it looses the connection and then it comes back up a few minutes later. We know it is a setup in the MT because the problem goes away if we connect directly to our provider’s router. We also know it has worked, because they were able to stay up for over 6 days with a rekeying happening every hour.

We have been working on this problem for about a month now, any help you would great.

Thanks!!

Setup:
Client Home Office: VPN concentrator is a Cisco VPN 3005 running software ver 4.0.4a.
On our network: VPN Client Cisco 831 running IOS 12.3(2)XC2

MT box running 2.8.12 with proxy-arp on backbone connection and a public sub net on another ethernet card in the router. There is no Natting or Masquerading all IP addresses are public.

Extra Help full info:
Here are the messages logged by the concentrator showing it trying to do a rekey followed by error messages followed by the concentrator disconnecting the session.
Aug 12 21:59:34 amtvvpn 42200 08/12/2004 21:59:38.470 SEV=4 IKE/41 RPT=1411 IKE Initiator: Rekeying Phase 2, Intf 2, IKE Peer 66.128.120.18 local Proxy Address 10.1.10.240, remote Proxy Address 10.4.255.2, SA (ESP-3DES-MD5)
Aug 12 21:59:42 amtvvpn 42206 08/12/2004 21:59:47.330 SEV=5 IKE/25 RPT=774 66.128.120.18 Group [VPNC_Base_Group] Received remote Proxy Host data in ID Payload: Address 10.4.255.2, Protocol 47, Port 0
Aug 12 21:59:42 amtvvpn 42209 08/12/2004 21:59:47.330 SEV=5 IKE/24 RPT=446 66.128.120.18 Group [VPNC_Base_Group] Received local Proxy Host data in ID Payload: Address 10.1.10.240, Protocol 47, Port 0
Aug 12 21:59:42 amtvvpn 42211 08/12/2004 21:59:47.330 SEV=5 IKE/66 RPT=774 66.128.120.18 Group [VPNC_Base_Group] IKE Remote Peer configured for SA: ESP-3DES-MD5
Aug 12 22:00:02 amtvvpn 42212 08/12/2004 22:00:07.320 SEV=4 IKEDBG/0 RPT=248 QM FSM error (P2 struct &0x1eb70c0, mess id 0xaabcfccf)!
Aug 12 22:00:06 amtvvpn 42213 08/12/2004 22:00:10.480 SEV=4 IKEDBG/0 RPT=249 QM FSM error (P2 struct &0x1e9b7c8, mess id 0xc3f1d136)!
Aug 12 22:00:06 amtvvpn 42214 08/12/2004 22:00:10.490 SEV=5 IKE/194 RPT=2842 66.128.120.18 Group [VPNC_Base_Group] Sending IKE Delete With Reason message: No Reason Provided.
Aug 12 22:00:06 amtvvpn 42216 08/12/2004 22:00:10.490 SEV=4 AUTH/23 RPT=310 66.128.120.18 User [Base Group] Group [] disconnected: duration: 0:04:47

Here are the messages logged by the concentrator during a successful rekey:
Aug 12 20:23:31 amtvvpn 41851 08/12/2004 20:23:34.770 SEV=4 IKE/41 RPT=1390 IKE Initiator: Rekeying Phase 2, Intf 2, IKE Peer 66.128.120.3 local Proxy Address 10.1.10.240, remote Proxy Address 10.4.255.2, SA (ESP-3DES-MD5)
Aug 12 20:23:31 amtvvpn 41853 08/12/2004 20:23:35.090 SEV=5 IKE/73 RPT=1125 66.128.120.3 Group [VPNC_Base_Group] Responder forcing change of IPSec rekeying duration from 28800 to 300 seconds
Aug 12 20:23:31 amtvvpn 41856 08/12/2004 20:23:35.090 SEV=4 IKE/49 RPT=1876 66.128.120.3 Group [VPNC_Base_Group] Security negotiation complete for User (VPNC_Base_Group) Responder, Inbound SPI = 0x35966a27, Outbound SPI = 0x29fcbf9b
Aug 12 20:23:31 amtvvpn 41858 08/12/2004 20:23:35.110 SEV=4 IKE/120 RPT=1878 66.128.120.3 Group [VPNC_Base_Group] PHASE 2 COMPLETED (msgid=9d4b86e9)

I was reviewing our network notes and when the client said they started having the problem. It looks like it was working great under 2.8.5 and then we upgraded our NOC to 2.8.12 and it started killing the connection.

Any ideas from the MT people?