bionsmall.blogg.se

Responder: sent main mode message #1 (OK)ĭeleted an Isakmp SA on the tunnel to :500 Responder: sent main mode message #2 (OK) Responder: sent main mode message #3 (DONE) PHASE 2 RENEGOTIATION (repeats indefinitely)ĭeleted an IPsec SA on the tunnel to :500 Initiator: sent main mode message #1 (OK) Initiator: sent main mode message #2 (OK) Initiator: sent main mode message #3 (OK) Initiator: parsed main mode message #3 (DONE) Initiator: sent quick mode message #1 (OK) Initiator: sent quick mode message #2 (DONE) Initiator: tunnel, transform=ESP_3DES, HMAC_SHA1 Responder: sent quick mode message #1 (OK) Responder: parsed quick mode message #2 (DONE) Responder: tunnel, transform=ESP_3DES, HMAC_SHA1 You can see where they show " Initiator" for Main Main messages when the tunnel comes up inittaly, and " Responder" when renegotiating. Log Messages ( is FGT peer IP) are below. NOTE: set auto-negotiate enable did not resolve it. In any case, I' ll try setting Phase 1 < Phase 2 and see if that works around the problem. I' ve always set Phase 2 < Phase 1 timer (otherwise there is no point in having an Phase 2 timer). For all I know, the IPSEC standard itself may determine that roles are reversed (Responder vs Initiator) for renegotiation. If both sides use the same timing (75% keylife) there' s no guarantee the FGT will auto-negotiate before the ASA does (due to generated traffic).

The phase 2 keylife on both sides is 28800 sec (8 hr) and renegotiation occurred after 6 hrs (I assume that is by design - like DHCP renewal). It seems like enabling auto-negotitate will improve the likelihood that the FGT re-negotiates first but not guarantee it. So.I' m thinking the root cause is a bug or incompatibility related to how the FGT implements/parses/compares address groups for SA during phase 2 negotiation.ĪNYWAY, I think preventing the ASA from iniating the tunnel will get around the problem (assuming the setting applies to re-negotiation of phase 2 as well), but I' m going to start with setting auto-negotiate to enable on the FGT to learn more about the behavior. I' m still confused as to the root cause.If phases 1 and 2 pass when the FGT initiates the tunnel, doesn' t that mean that the relevant SA properties match and should therefore do so when the other side initiates it? I' ve confirmed thst the phase 2 ranges are identical.