Showing results for 
Search instead for 
Do you mean 
Reply
gilado
Posts: 6
Registered: ‎12-04-2008
Accepted Solution

VPN works, causes periodic freezes of BEFSX41

I use a BEFSX41 as a firewall/router and with site-to-site vpn.

While the vpn tunnel is up the router seems to freeze every minute (sometimes after 45 seconds or 30 seconds.

That is easily evindent when pinging the router from another machine on the intranet side. While the average ping time is less than 1 milliseconds, every minute it will be 500 milliseconds or more. Pinging a machine on the remote side of the vpn usually is 80 milliseconds and every minute or so it goes up to 2 seoconds for a few pings.

If I take the vpn down the problem stops (i.e. pinging the router/firewall from the intranet side is consistently below 1 millisecond)

 

I found out that these freezes/delays concide with information in the vpn log file, it looks like this:

 

 

2008-12-04 12:46:01 IKE[1] Set up ESP tunnel with 206.xxx.xxx.xx Success !
2008-12-04 12:46:01
2008-12-04 12:46:34 IKE[1] Rx << QM_I1 : 206.xxx.xxx.xx HASH, SA, NONCE, ID, ID
2008-12-04 12:46:34 IKE[1] **Check your Local/Remote Secure Group settings !
2008-12-04 12:47:01
2008-12-04 12:47:01 IKE[1] Tx >> MM_I1 : 206.xxx.xxx.xx Error !
2008-12-04 12:47:02 IKE[1] Rx << MM_R1 : 206.xxx.xxx.xx SA, VID
2008-12-04 12:47:02 IKE[1] ISAKMP SA CKI=[342ed619 c59fed01] CKR=[kkkk1954 ffff4e87]
2008-12-04 12:47:02 IKE[1] ISAKMP SA 3DES / MD5 / PreShared / MODP_1024 / 3600 sec (*3600 sec)
2008-12-04 12:47:02 IKE[1] Tx >> MM_I2 : 206.xxx.xxx.xx KE, NONCE
2008-12-04 12:47:03 IKE[1] Rx << MM_R2 : 206.xxx.xxx.xx KE, NONCE
2008-12-04 12:47:03 IKE[1] Tx >> MM_I3 : 206.xxx.xxx.xx ID, HASH
2008-12-04 12:47:05 IKE[1] Rx << MM_R3 : 206.xxx.xxx.xx ID, HASH
2008-12-04 12:47:05 IKE[1] Rx << QM_R1 : 206.xxx.xxx.xx HASH, SA, NONCE, ID, ID
2008-12-04 12:47:05 IKE[1] Tx >> QM_I2 : 206.xxx.xxx.xx HASH
2008-12-04 12:47:05 IKE[1] ESP_SA 3DES / MD5 / 3600 sec / SPI=[nnnn7daf:mmmm9ee9]
2008-12-04 12:47:05 IKE[1] Set up ESP tunnel with 206.xxx.xxx.xx Success !
2008-12-04 12:47:05
2008-12-04 12:47:32 IKE[1] Rx << QM_I1 : 206.xxx.xxx.xx HASH, SA, NONCE, ID, ID
2008-12-04 12:47:32 IKE[1] **Check your Local/Remote Secure Group settings !
2008-12-04 12:48:01
2008-12-04 12:48:01 IKE[1] Tx >> MM_I1 : 206.xxx.xxx.xx Error !
2008-12-04 12:48:02 IKE[1] Rx << MM_R1 : 206.xxx.xxx.xx SA, VID
2008-12-04 12:48:02 IKE[1] ISAKMP SA CKI=[60e98e30 f5831f66] CKR=[kkkk6675 ffff38d1]
2008-12-04 12:48:02 IKE[1] ISAKMP SA 3DES / MD5 / PreShared / MODP_1024 / 3600 sec (*3600 sec)
2008-12-04 12:48:02 IKE[1] Tx >> MM_I2 : 206.xxx.xxx.xx KE, NONCE
2008-12-04 12:48:03 IKE[1] Rx << MM_R2 : 206.xxx.xxx.xx KE, NONCE
2008-12-04 12:48:03 IKE[1] Tx >> MM_I3 : 206.xxx.xxx.xx ID, HASH
2008-12-04 12:48:05 IKE[1] Rx << MM_R3 : 206.xxx.xxx.xx ID, HASH
2008-12-04 12:48:05 IKE[1] Rx << QM_R1 : 206.xxx.xxx.xx HASH, SA, NONCE, ID, ID
2008-12-04 12:48:05 IKE[1] Tx >> QM_I2 : 206.xxx.xxx.xx HASH
2008-12-04 12:48:05 IKE[1] ESP_SA 3DES / MD5 / 3600 sec / SPI=[nnnn65e5:mmmm2ea9]
2008-12-04 12:48:05 IKE[1] Set up ESP tunnel with 206.xxx.xxx.xx Success !
2008-12-04 12:48:05

The above pattern repeats adfinium

 

To be clear the vpn works throughout (except for periodic delays) for many days

 

I think my settings might be not completely right, butI don't know how to interpret the above log

 

eepro
Posts: 168
Registered: ‎11-15-2008

Re: VPN works, causes periodic freezes of BEFSX41

I am not familiar with the vpn log but you may try upgrading the firmware and check anti-reply and keep-alive on both routers.
gilado
Posts: 6
Registered: ‎12-04-2008

Re: VPN works, causes periodic freezes of BEFSX41

Found it.

 

I had PFS disabled. I enabled PFS and the problem went away.

 

http://en.wikipedia.org/wiki/Perfect_forward_secrecy

 

See http://www.ietf.org/rfc/rfc2409.txt sections 8-10 to see why