none
L2TP/IPSec connection times out RRS feed

  • Question

  • Hello, I would like to setup a L2TP/IPSec connection between a CE device and my firewall. I can establish connection but after a little while (a few minutes), the tunnel / VPN connection stops. The error message on the CE 6 device is "A network error has occurred, or the server has closed the VPN connection". Below is a tcp dump from the firewall.

    Thank you in advance for your help,

    Mike

    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

    17:40:47.136363 IP 192.168.1.38 > 192.168.1.39: ESP(spi=0xdd939920,seq=0xfd), length 60
    17:40:47.152205 IP 192.168.1.39 > 192.168.1.38: ESP(spi=0xc8af2cf0,seq=0x100), length 60
    17:40:48.088398 IP 192.168.1.39 > 192.168.1.38: ESP(spi=0xc8af2cf0,seq=0x101), length 108
    17:40:48.089567 IP 192.168.1.38 > 192.168.1.39: ESP(spi=0xdd939920,seq=0xfe), length 108
    17:40:49.116132 IP 192.168.1.39 > 192.168.1.38: ESP(spi=0xc8af2cf0,seq=0x102), length 108
    17:40:49.117320 IP 192.168.1.38 > 192.168.1.39: ESP(spi=0xdd939920,seq=0xff), length 108
    17:40:50.142210 IP 192.168.1.39 > 192.168.1.38: ESP(spi=0xc8af2cf0,seq=0x103), length 108
    17:40:50.143338 IP 192.168.1.38 > 192.168.1.39: ESP(spi=0xdd939920,seq=0x100), length 108
    17:40:50.363354 IP 192.168.1.38.500 > 192.168.1.39.500: isakmp: phase 1 I ident
    17:40:50.389604 IP 192.168.1.39.500 > 192.168.1.38.500: isakmp: phase 1 R ident
    17:40:50.402132 IP 192.168.1.38.500 > 192.168.1.39.500: isakmp: phase 1 I ident
    17:40:51.140409 IP 192.168.1.38.1701 > 192.168.1.39.1701:  l2tp:[L](1/1) {LCP, Echo-Request (0x09), id 57, length 10}
    17:40:51.196166 IP 192.168.1.39 > 192.168.1.38: ESP(spi=0xc8af2cf0,seq=0x104), length 108
    17:40:52.240781 IP 192.168.1.39 > 192.168.1.38: ESP(spi=0xc8af2cf0,seq=0x105), length 108
    17:40:53.558335 IP 192.168.1.39.500 > 192.168.1.38.500: isakmp: phase 1 R ident
    17:40:53.564226 IP 192.168.1.39.500 > 192.168.1.38.500: isakmp: phase 1 R ident
    17:40:53.570843 IP 192.168.1.38.500 > 192.168.1.39.500: isakmp: phase 1 I ident[E]
    17:40:53.612327 IP 192.168.1.39.500 > 192.168.1.38.500: isakmp: phase 1 R ident[E]
    17:40:53.625729 IP 192.168.1.38.500 > 192.168.1.39.500: isakmp: phase 2/others I oakley-quick[E]
    17:40:53.726003 IP 192.168.1.39 > 192.168.1.38: ESP(spi=0xc8af2cf0,seq=0x106), length 108
    17:40:55.144437 IP 192.168.1.38.1701 > 192.168.1.39.1701:  l2tp:[L](1/1) {LCP, Echo-Request (0x09), id 58, length 10}
    17:40:55.241818 IP 192.168.1.39 > 192.168.1.38: ESP(spi=0xc8af2cf0,seq=0x107), length 108
    17:40:56.783139 IP 192.168.1.39 > 192.168.1.38: ESP(spi=0xc8af2cf0,seq=0x108), length 108
    17:40:57.625912 IP 192.168.1.38.500 > 192.168.1.39.500: isakmp: phase 2/others I oakley-quick[E]
    17:40:58.283195 IP 192.168.1.39 > 192.168.1.38: ESP(spi=0xc8af2cf0,seq=0x109), length 108
    17:40:59.148491 IP 192.168.1.38.1701 > 192.168.1.39.1701:  l2tp:[L](1/1) {LCP, Echo-Request (0x09), id 59, length 10}
    17:40:59.782536 IP 192.168.1.38.1701 > 192.168.1.39.1701:  l2tp:[TLS](1/0)Ns=5,Nr=4 *MSGTYPE(HELLO)
    17:40:59.789552 IP 192.168.1.39 > 192.168.1.38: ESP(spi=0xc8af2cf0,seq=0x10a), length 108
    17:41:00.783558 IP 192.168.1.38.1701 > 192.168.1.39.1701:  l2tp:[TLS](1/0)Ns=5,Nr=4 *MSGTYPE(HELLO)
    17:41:01.302959 IP 192.168.1.39 > 192.168.1.38: ESP(spi=0xc8af2cf0,seq=0x10b), length 108
    17:41:01.784578 IP 192.168.1.38.1701 > 192.168.1.39.1701:  l2tp:[TLS](1/0)Ns=5,Nr=4 *MSGTYPE(HELLO)
    17:41:02.785597 IP 192.168.1.38.1701 > 192.168.1.39.1701:  l2tp:[TLS](1/0)Ns=5,Nr=4 *MSGTYPE(HELLO)
    17:41:02.818249 IP 192.168.1.39 > 192.168.1.38: ESP(spi=0xc8af2cf0,seq=0x10c), length 108
    17:41:03.152333 IP 192.168.1.38.1701 > 192.168.1.39.1701:  l2tp:[L](1/1) {LCP, Echo-Request (0x09), id 60, length 10}
    17:41:03.786251 IP 192.168.1.38.1701 > 192.168.1.39.1701:  l2tp:[TLS](1/0)Ns=5,Nr=4 *MSGTYPE(HELLO)
    17:41:04.333645 IP 192.168.1.39 > 192.168.1.38: ESP(spi=0xc8af2cf0,seq=0x10d), length 108
    17:41:04.787382 IP 192.168.1.38.1701 > 192.168.1.39.1701:  l2tp:[TLS](1/0)Ns=6,Nr=4 *MSGTYPE(StopCCN) *ASSND_TUN_ID(65440) *RESULT_CODE(1/0 Timeout)
    17:41:04.826234 IP 192.168.1.38.500 > 192.168.1.39.500: isakmp: phase 2/others I oakley-quick[E]
    17:41:05.788259 IP 192.168.1.38.1701 > 192.168.1.39.1701:  l2tp:[TLS](1/0)Ns=6,Nr=4 *MSGTYPE(StopCCN) *ASSND_TUN_ID(65440) *RESULT_CODE(1/0 Timeout)
    17:41:05.848913 IP 192.168.1.39 > 192.168.1.38: ESP(spi=0xc8af2cf0,seq=0x10e), length 108
    17:41:06.789272 IP 192.168.1.38.1701 > 192.168.1.39.1701:  l2tp:[TLS](1/0)Ns=6,Nr=4 *MSGTYPE(StopCCN) *ASSND_TUN_ID(65440) *RESULT_CODE(1/0 Timeout)
    17:41:07.387707 IP 192.168.1.39 > 192.168.1.38: ESP(spi=0xc8af2cf0,seq=0x10f), length 108
    17:41:07.790288 IP 192.168.1.38.1701 > 192.168.1.39.1701:  l2tp:[TLS](1/0)Ns=6,Nr=4 *MSGTYPE(StopCCN) *ASSND_TUN_ID(65440) *RESULT_CODE(1/0 Timeout)
    17:41:08.791303 IP 192.168.1.38.1701 > 192.168.1.39.1701:  l2tp:[TLS](1/0)Ns=6,Nr=4 *MSGTYPE(StopCCN) *ASSND_TUN_ID(65440) *RESULT_CODE(1/0 Timeout)
    17:41:08.891878 IP 192.168.1.39 > 192.168.1.38: ESP(spi=0xc8af2cf0,seq=0x110), length 108
    17:41:10.396881 IP 192.168.1.39 > 192.168.1.38: ESP(spi=0xc8af2cf0,seq=0x111), length 108
    17:41:11.910424 IP 192.168.1.39 > 192.168.1.38: ESP(spi=0xc8af2cf0,seq=0x112), length 108
    17:41:13.425755 IP 192.168.1.39 > 192.168.1.38: ESP(spi=0xc8af2cf0,seq=0x113), length 108
    17:41:14.968099 IP 192.168.1.39 > 192.168.1.38: ESP(spi=0xc8af2cf0,seq=0x114), length 108
    17:41:16.469479 IP 192.168.1.39 > 192.168.1.38: ESP(spi=0xc8af2cf0,seq=0x115), length 108
    17:41:17.786325 IP 192.168.1.38.500 > 192.168.1.39.500: isakmp: phase 2/others I oakley-quick[E]
    17:41:17.971855 IP 192.168.1.39 > 192.168.1.38: ESP(spi=0xc8af2cf0,seq=0x116), length 108
    17:41:19.487378 IP 192.168.1.39 > 192.168.1.38: ESP(spi=0xc8af2cf0,seq=0x117), length 108
    17:41:21.002412 IP 192.168.1.39 > 192.168.1.38: ESP(spi=0xc8af2cf0,seq=0x118), length 108
    17:41:22.517871 IP 192.168.1.39 > 192.168.1.38: ESP(spi=0xc8af2cf0,seq=0x119), length 108
    17:41:24.058116 IP 192.168.1.39 > 192.168.1.38: ESP(spi=0xc8af2cf0,seq=0x11a), length 108

    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

    Wednesday, July 20, 2016 10:26 PM

Answers

  • Hi Mike,

    Have you worked with your device OEM to get the error message the CE device is reporting?  From the text you give "A network error has occurred, or the server has closed the VPN connection" it sounds like the VPN is actually rejecting the CE device.

    Sincerely,

    IoTGirl

    Friday, July 29, 2016 8:51 PM
    Moderator