#1  
Old June 15th, 2009, 07:25 AM
chriszulli chriszulli is offline
Junior Member
NETGEAR Newbie
 
Join Date: Jun 2009
Posts: 4
chriszulli is on a distinguished road
Default IPsec SA Not Established

Hello,

I have a FVS338 and FVS336g and have established a VPN tunnel between two remote sites that has been up and working for at least a month. Today however out of nowhere Im getting "IPsec SA Not Established" and the two sites are not connected. Any ideas of what may cause this?

Tried - rebooting both appliances; the public ip' have not changed, subnet address have not changed.

Thanks in advance.

Chris
Reply With Quote
  #2  
Old June 15th, 2009, 08:26 AM
adit's Avatar
adit adit is offline
Moderator
NETGEAR Fanatic
 
Join Date: Nov 2006
Location: USA
Posts: 5,347
adit is on a distinguished road
Default Re: IPsec SA Not Established

Disable and re-Enable the VPN policies, the click Connect on the status screen.

Else we will need to see the entire log file and some screenshots of the configs.

Which firmwares?
Reply With Quote
  #3  
Old June 15th, 2009, 08:45 AM
chriszulli chriszulli is offline
Junior Member
NETGEAR Newbie
 
Join Date: Jun 2009
Posts: 4
chriszulli is on a distinguished road
Default Re: IPsec SA Not Established

This seems to be when the tunnel went down:


Log from the FVS336g appliance:

2009-06-15 14:14:29: INFO: Configuration found for 173.12.23.201.
2009-06-15 14:14:33: ERROR: ignore the packet, expecting the packet encrypted.
2009-06-15 14:14:43: ERROR: ignore the packet, expecting the packet encrypted.
2009-06-15 14:14:45: INFO: accept a request to establish IKE-SA: 173.12.23.201
2009-06-15 14:14:45: INFO: Configuration found for 173.12.23.201.
2009-06-15 14:14:49: INFO: accept a request to establish IKE-SA: 173.12.23.201
2009-06-15 14:14:49: INFO: Configuration found for 173.12.23.201.
2009-06-15 14:14:53: ERROR: ignore the packet, expecting the packet encrypted.
2009-06-15 14:15:00: ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP 173.12.23.201->70.90.8.121
2009-06-15 14:15:03: ERROR: ignore the packet, expecting the packet encrypted.
2009-06-15 14:15:08: ERROR: Phase 1 negotiation failed due to time up for 173.12.23.201[500]. 520aaf2b35ec61b0:8f5bd07ffc12ff9d
2009-06-15 14:15:16: ERROR: Invalid SA protocol type: 0
2009-06-15 14:15:16: ERROR: Phase 2 negotiation failed due to time up waiting for phase1.
2009-06-15 14:15:20: ERROR: Invalid SA protocol type: 0
2009-06-15 14:15:20: ERROR: Phase 2 negotiation failed due to time up waiting for phase1.





Log from the FVS338 appliance:

2009 Jun 15 14:14:53 [FVS338] [IKE] Configuration found for 70.90.8.121._
2009 Jun 15 14:14:58 [FVS338] [IKE] Received Malformed packet of payload length 32223 and total length 40._
2009 Jun 15 14:14:59 [FVS338] [IKE] Invalid SA protocol type: 0_
2009 Jun 15 14:14:59 [FVS338] [IKE] Phase 2 negotiation failed due to time up waiting for phase1. _
2009 Jun 15 14:15:04 [FVS338] [IKE] Invalid SA protocol type: 0_
2009 Jun 15 14:15:04 [FVS338] [IKE] Phase 2 negotiation failed due to time up waiting for phase1. _
2009 Jun 15 14:15:13 [FVS338] [IKE] Phase 1 negotiation failed due to time up for 70.90.8.121[500]. 520aaf2b35ec61b0:8f5bd07ffc12ff9d_
2009 Jun 15 14:15:24 [FVS338] [IKE] Invalid SA protocol type: 0_
Reply With Quote
  #4  
Old June 15th, 2009, 09:10 AM
adit's Avatar
adit adit is offline
Moderator
NETGEAR Fanatic
 
Join Date: Nov 2006
Location: USA
Posts: 5,347
adit is on a distinguished road
Default Re: IPsec SA Not Established

Check to make sure all are set on the same algorithms.

I recommend AES-256 SHA-1 with DH PFS Group 2 in both IKE and VPN policies.

If the IP's are static use 86400 for the SA Lifetime, else 3600.

Last edited by adit; June 15th, 2009 at 10:53 AM.
Reply With Quote
  #5  
Old June 15th, 2009, 09:39 AM
chriszulli chriszulli is offline
Junior Member
NETGEAR Newbie
 
Join Date: Jun 2009
Posts: 4
chriszulli is on a distinguished road
Default Re: IPsec SA Not Established

ok - i will try it. also going to update firmware on fvs336g - seems old.
Reply With Quote
  #6  
Old June 15th, 2009, 10:52 AM
jmizoguchi's Avatar
jmizoguchi jmizoguchi is offline
Junior Member
 
Join Date: Feb 2007
Location: Kentucky, USA
Posts: 0
jmizoguchi is an unknown quantity at this point
Default Re: IPsec SA Not Established

Quote:
Originally Posted by chriszulli View Post
ok - i will try it. also going to update firmware on fvs336g - seems old.
if you do... hard reset and manual setup all up again.

many have issue on FVS336G with upgrades is currently out.
Reply With Quote
  #7  
Old June 16th, 2009, 06:08 AM
chriszulli chriszulli is offline
Junior Member
NETGEAR Newbie
 
Join Date: Jun 2009
Posts: 4
chriszulli is on a distinguished road
Default Re: IPsec SA Not Established

Working. Updated firmware to latest release and deleted/reconfigured vpn tunnel.

Thanks all for the help!!

Chris
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -8. The time now is 04:05 AM.