[c-nsp] PIX 515e - NetScreen 25 VPN : standby PIX crashing

Andy Ashley lists at nexus6.co.za
Wed Sep 19 12:56:07 EDT 2007


Hi All,

We have a pair of Cisco PIX 515e's configured in a HA setup with LAN 
based stateful failover.
A few weeks back we were asked to configure a site to site VPN for a 
client. The remote site is using a NetScreen 25.

Ever since configuring this VPN the standby PIX unit has been crashing 
at odd intervals.
Much Googling and seaching of mailing lists has not turned up much 
besides a brief description of the error message.

 From the logs:

Sep 19 15:17:32 FWL02b/FWL02b %PIX-6-602303: IPSEC: An inbound 
LAN-to-LAN SA (SPI= 0xC2D85BA3) between 81.19.x.x and 217.205.x.x (user= 
217.205.x.x) has been created.
Sep 19 15:17:32 FWL02b/FWL02b %PIX-7-715046: Group = 217.205.x.x, IP = 
217.205.x.x, constructing blank hash payload
Sep 19 15:17:32 FWL02b/FWL02b %PIX-7-715046: Group = 217.205.x.x, IP = 
217.205.x.x, constructing IPSec delete payload
Sep 19 15:17:32 FWL02b/FWL02b %PIX-7-715046: Group = 217.205.x.x, IP = 
217.205.x.x, constructing qm hash payload
Sep 19 15:17:32 FWL02b/FWL02b %PIX-3-713235: Group = 217.205.x.x, IP = 
217.205.x.x, Attempt to send an IKE packet from standby unit. Dropping 
the packet!
Sep 19 15:17:32 FWL02b/FWL02b %PIX-1-713900: IKEQM_P2Cleanup() Error - 
centry->refCnt less than 0 !
Sep 19 15:17:32 FWL02b/FWL02b %PIX-7-715007: Group = 217.205.x.x, IP = 
217.205.x.x, IKE got a KEY_ADD msg for SA: SPI = 0x0be58f8a
Sep 19 15:17:32 FWL02b/FWL02b %PIX-7-715077: Group = 217.205.x.x, IP = 
217.205.x.x, Pitcher: received KEY_UPDATE, spi 0xc2d85ba3

As I understand it, the standby unit should never form a security 
association, unless the primary dies and failover to the standby unit 
occurs.
I was wondering if anyone has experienced similar behaviour or has any 
theories about why this is occuring?

Any thoughts or comments would be much appreciated..

Thanks.

Regards,
Andy.


More information about the cisco-nsp mailing list