It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda NextGen Firewall X

IPSEC tunnel between Windows ISA und NG Firewall is up but no traffic is routed through

  • Type: Knowledgebase
  • Date changed: one year ago
Solution #00005330 


Scope:
This solution replies to:
- NG Firewall firmware versions 4.2.x,5.0.x, 5.2.x
- netfence firmware versions 4.2.x

 
Symptoms:
 An IPSEC tunnel is established between Windows ISA server and NG Firewall and it is possible to send traffic trough this tunnel. But after approximately 5 minutes, where no traffic is send trough the tunnel, it is not longer possible to send data trough the tunnel.

The debug level 90 log of the IKE (ike.log) displays following messages:

 

Info S1_VPN_ike[1076]: ipsec_delete_spi_list: [IPSEC-TestTunnel-172.16.0.0-172.16.1.0] spi=cf2a1bd5
Info S1_VPN_ike[1076]: ipsec_delete_spi_list: DELETE made us delete SA 0x730a0b6 (3 references) for proto 3
Info S1_VPN_ike[1076]: timer_remove_event: removing event sa_hard_expire(0x730a0b6)
Info S1_VPN_ike[1076]: timer_remove_event: removing event sa_soft_expire(0x730a0b6)
Info S1_VPN_ike[1076]: sa_remove: SA 0x730a0b6 removed from SA list
Info S1_VPN_ike[1076]: sa_release: SA 0x730a0b6 had 1 references
Info S1_VPN_ike[1076]: sa_release: freeing SA 0x730a0b6
Info S1_VPN_ike[1076]: delete_spi: [IPSEC-TestTunnel-172.16.0.0-172.16.1.0] outbound sa=0x730a0b6 proto=0x842e5c0, NOT REPLACED
Info S1_VPN_ike[1076]: delete_spi: IPSEC-TestTunnel-172.16.0.0-172.16.1.0(0x730a0b6), spi: 0xcf2a1bd5 succeeded.
Info S1_VPN_ike[1076]: delete_spi: [IPSEC-TestTunnel-172.16.0.0-172.16.1.0] inbound sa=0x730a0b6 proto=0x842e5c0, NOT REPLACED
Info S1_VPN_ike[1076]: delete_spi: IPSEC-TestTunnel-172.16.0.0-172.16.1.0(0x730a0b6), spi: 0x68a2be91 succeeded.

 

Solution:
The message "DELETE made us delete SA" and "NOT REPLACED" means, that the NG Firewall got a delete request for the SA from the Windows ISA server and no new SA is avaliable for Phase 2.  If this happens, no traffic can be routed through the tunnel anymore.

This behavior is called "SA ldle Time" on the Windows ISA server and can be set via registry. As default this time is set to 300 seconds (5 minutes) and in this option will force a delete of the SA on the partner gateway.


Set the "SA ldle Time" on the Windows ISA server to the same value as the lifetime in Phase 2 via registry key (in this example 3600 seconds).

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec
Value name: SAIdleTime
Data Type: REG_DWORD
Value data: 3600

We recommend to use the default settings for Phase 1+2 on the Windows ISA server and the netfence.

Phase I
  Main mode
  3DES
  SHA-1
  MODP Group 2 (1024 bits) for DH
  SA lifetime of 28800 seconds
  Preshared Secret

Phase II
  3DES
  SHA-1
  PFS & MODP Group 2 (1024 bits) for DH
  SA lifetime of 3600 seconds

  Disabled kilobyte liftime

 

 

Link to This Page:

https://campus.barracuda.com/solution/50160000000IKbzAAG