[Openswan Users] Openswan 2.4.6 - cisco pix ike problem
Peter McGill
petermcgill at goco.net
Fri Oct 13 08:44:07 EDT 2006
> Oct 12 15:07:17 gate pluto[10954]: "cross-rsd" #6: received Delete SA payload: deleting ISAKMP State #6
> Oct 12 15:07:17 gate pluto[10954]: packet from aaa.bbb.ccc.ddd:500: received and ignored informational message
> Oct 12 15:07:17 gate pluto[10954]: packet from aaa.bbb.ccc.ddd:500: Informational Exchange is for an unknown (expired?) SA
> Oct 12 15:07:21 gate pluto[10954]: "cross-rsd" #7: DPD: Serious: could not find newest phase 1 state
I have the nearly same problem with a nortel switch I connect to.
The fact is the cisco has decided to destroy the tunnel, and openswan happly complies and doesn't attempt to reconnect.
Personally I wish openswan would reconnect.
Now you might be able to mitigate or eliminate this problem if you adjust the ikelifetime and keylife values.
They control when the connection expires, and cisco might be destroying the tunnel because it thinks it's expired, because it's set
to expire sooner.
Now it's sending you a delete for ISAKMP so I would try shrinking your ikelifetime, that might help.
They are connection specific settings and they default to:
ikelifetime=8.0h
keylife=1.0h
They should match the expiry settings on the cisco so try to verify the tunnel lifetime/expiry settings with the cisco admin.
Peter McGill
Software Developer / Network Administrator
Gra Ham Energy Limited
More information about the Users
mailing list