[c-nsp] fun with VPN client - strange disconnects

Gert Doering gert at greenie.muc.de
Sat Feb 26 17:03:15 EST 2005 

Hi,

a customer is having a really weird Cisco VPN Client disconnect issue.

Normally (that is "most of the time"), everything works as desired.

*Sometimes* (below 5% of all connections) the client connects, internal 
servers can be pinged just fine, and after roughly a minute, the client 
is disconnected, by an explicit (HASH,DEL) message from the server side.   
The propability for disconnection seems to be related to VPN RTT, that is, 
if the client is online by mobile phone / GPRS, it's much more likely than 
via a home DSL account.

It's not a timeout issue, or "GPRS network mangles packets" issue.  The 
client connects, exchanges messages, pings fine (!), then disconnects.  

The disconnect seems to be related to a specific message server->client,
which the client doesn't answer, and after 3 retransmits, the server sends
a disconnect.  This message is only seen in the VPN client log when the
"magic disconnect" occurs - but I can't find anything on CCO about it :(

The "interesting" part of the VPN client log is this:

670    15:09:25.650  11/03/04  Sev=Info/4	IPSEC/0x6370000F
Added key with SPI=0x119441ef into key list

671    15:09:25.650  11/03/04  Sev=Info/4	IPSEC/0x63700010
Created a new key structure

672    15:09:25.650  11/03/04  Sev=Info/4	IPSEC/0x6370000F
Added key with SPI=0xd2b30127 into key list

673    15:09:25.650  11/03/04  Sev=Info/4	IPSEC/0x6370002E
Assigned VA private interface addr 192.168.20.44

--> session is up, from here on, "internal" servers can be pinged.


674    15:09:26.041  11/03/04  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = 193.aa.bb.cc

675    15:09:26.041  11/03/04  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 193.aa.bb.cc

676    15:09:26.041  11/03/04  Sev=Warning/2	IKE/0xE3000099
Cannot accept a new Xauth message (NavigatorTM:318)

677    15:09:26.041  11/03/04  Sev=Warning/2	IKE/0xE3000099
Received unexpected TM message from peer (NavigatorTM:593)

--> what sort of packet is this??  Googling brought *no* result?!


678    15:09:27.994  11/03/04  Sev=Info/4	IPSEC/0x63700019
Activate outbound key with SPI=0x119441ef for inbound key with SPI=0xd2b30127

679    15:09:36.603  11/03/04  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = 193.aa.bb.cc

680    15:09:36.603  11/03/04  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 193.aa.bb.cc

681    15:09:36.603  11/03/04  Sev=Warning/2	IKE/0xE3000099
Cannot accept a new Xauth message (NavigatorTM:318)

682    15:09:36.603  11/03/04  Sev=Warning/2	IKE/0xE3000099
Received unexpected TM message from peer (NavigatorTM:593)

--> there it is again.


683    15:09:46.041  11/03/04  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = 193.aa.bb.cc

684    15:09:46.041  11/03/04  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 193.aa.bb.cc

685    15:09:46.041  11/03/04  Sev=Warning/2	IKE/0xE3000099
Cannot accept a new Xauth message (NavigatorTM:318)

686    15:09:46.041  11/03/04  Sev=Warning/2	IKE/0xE3000099
Received unexpected TM message from peer (NavigatorTM:593)

--> a 3rd time.


687    15:09:56.056  11/03/04  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = 193.aa.bb.cc

688    15:09:56.056  11/03/04  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, DEL) from 193.aa.bb.cc

689    15:09:56.056  11/03/04  Sev=Info/5	IKE/0x6300003C
Received a DELETE payload for IKE SA with Cookies:  I_Cookie=CBC5585E1A0456FE R_Cookie=C4B77E84F0D590C9

--> and then the server kicks the user.

[..]
692    15:09:56.056  11/03/04  Sev=Info/4	IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=CBC5585E1A0456FE R_Cookie=C4B77E84F0D590C9) reason = PEER_DELETE-IKE_DELETE_UNSPECIFIED

--> with no reason given.

[..]
695    15:09:56.744  11/03/04  Sev=Info/4	IKE/0x63000001
IKE received signal to terminate VPN connection

704    15:09:58.119  11/03/04  Sev=Info/4	IPSEC/0x6370000A
IPSec driver successfully stopped


Details:  
 * client side is Cisco VPN Client on Windows, various 4.0.3/4.0.4/4.0.5
   versions (client version has no effect)

 * server side is a 1720 with 12.3(9) IP/IPSEC/PLUS/3DES
   (initially it was some 12.2T version, but server version has no effect
   either)

 * "from the book" dynamic client VPN setup, XAUTH group, user+password 
   stored on the 1720.

Lots of experimenting with different versions and turning on lots of
debugging didn't yield anything meaningful yet.

What I'm hoping from you guys is that someone has seen this message
"Cannot accept a new Xauth message (NavigatorTM:318)" before and can
tell me under which circumstances the packets in question are sent, and
how the 1720 can be told to stop it...

thanks!

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de

More information about the cisco-nsp mailing list