Archived
IPSec tunnels dropping between ASA and SonicWall
IP = x.x.75.65, Received an un-encrypted NOPROPOSALCHOSEN notify message, dropping IP = x.x.75.65, IKEDECODE RECEIVED Message (msgid=9e681315) with payloads: HDR + NOTIFY (11) + NONE (0) total length: 102. Packet dropping policies for IP networks have been studied (see 17 for example). The main design issues in this area include network utilization and application throughput, fairness, simplicity.
I have a Cisco ASA 5520 in a main site with IPSec tunnels to 3 remote sites. The 3 remote sites have SonicWalls.
I've been having an issue where the tunnel will drop between our main site and a any remote site at random. However, not all traffic will drop within the tunnel. For example, I can still RDP and ping a file server at a remote site while the remote site can no longer ping or access the DNS servers at my main site. To resolve the issue, I simply retype the pre-shared key into the SonicWall VPN settings and traffic begins to flow normally again...for a week. Then the issue occurs again.
When the issue is occuring, the Cisco ASA logs show the following entries:
IP = X.X.X.X, Error: Unable to remove PeerTblEntry
IP = X.X.X.X, Removing peer from peer table failed, no match!
IP = X.X.X.X, Error processing payload: Payload ID: 1
IP = X.X.X.X, Information Exchange processing failed
IP = X.X.X.X, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
The SonicWall shows the following entries when this is occurring:
VPN Warning Received notify: PAYLOAD_MALFORMED X.X.X.X, 500 X.X.X.X, 500
VPN Warning Received unencrypted packet in crypto active state X.X.X.X, 500 X.X.X.X, 500 udp VPN Warning Failed payload verification after decryption; possible preshared key mismatch
VPN Warning Received unencrypted packet in crypto active state X.X.X.X, 500 X.X.X.X, 500 udp VPN Warning Failed payload verification after decryption; possible preshared key mismatch
Upon research, the issue should be mismatched ISAKMP policies. However, these tunnels have been up with no issues for YEARS and no changes have been made.
The only thing I found odd was the ASA's VPN group policy was set to 30 minute timeout. So I changed that to unlimited. I doubt that is any sort of issue though.
Just throwing it out there to see if anyone had any ideas of what I could check into.
73% Upvoted
Archived
IPSec tunnels dropping between ASA and SonicWall
I have a Cisco ASA 5520 in a main site with IPSec tunnels to 3 remote sites. The 3 remote sites have SonicWalls.
I've been having an issue where the tunnel will drop between our main site and a any remote site at random. However, not all traffic will drop within the tunnel. For example, I can still RDP and ping a file server at a remote site while the remote site can no longer ping or access the DNS servers at my main site. To resolve the issue, I simply retype the pre-shared key into the SonicWall VPN settings and traffic begins to flow normally again...for a week. Then the issue occurs again.
When the issue is occuring, the Cisco ASA logs show the following entries:
IP = X.X.X.X, Error: Unable to remove PeerTblEntry
IP = X.X.X.X, Removing peer from peer table failed, no match!
IP = X.X.X.X, Error processing payload: Payload ID: 1
IP = X.X.X.X, Information Exchange processing failed
IP = X.X.X.X, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
The SonicWall shows the following entries when this is occurring:
VPN Warning Received notify: PAYLOAD_MALFORMED X.X.X.X, 500 X.X.X.X, 500
VPN Warning Received unencrypted packet in crypto active state X.X.X.X, 500 X.X.X.X, 500 udp VPN Warning Failed payload verification after decryption; possible preshared key mismatch
VPN Warning Received unencrypted packet in crypto active state X.X.X.X, 500 X.X.X.X, 500 udp VPN Warning Failed payload verification after decryption; possible preshared key mismatch
Upon research, the issue should be mismatched ISAKMP policies. However, these tunnels have been up with no issues for YEARS and no changes have been made.
The only thing I found odd was the ASA's VPN group policy was set to 30 minute timeout. So I changed that to unlimited. I doubt that is any sort of issue though.
Just throwing it out there to see if anyone had any ideas of what I could check into.
73% Upvoted