Looks like they are sending a delete. I guess I will delete and recreate this tunnel
isakmpd: Peer 1.1.1.1 made us delete live SA <unnamed> for proto 1, initiator id: 1.1.1.1, responde r id: 2.2.2.2 On Tue, Nov 17, 2009 at 10:37 AM, Christoph Leser <le...@sup-logistik.de>wrote: > Are you sure that obsd does not try to initiate the connection at least > once? > > I have noticed the following problem with cisco: > > Some Cisco models delete the security association after an inactivity > timeout, they call it "Cisco IPSec Security Association Idle Timers". > > When this happens, openBSDs drop the information for this tunnel and is > unable to recreate it. Cisco keeps the information and can reestablish the > connection when someone pings or otherwise addresses the remote end. > > I had a short conversation about this with Hans-Jvrg Hvxer, but cannot say > whether this behaviour is desired or considered a bug. > > I would try to delete the tunnel complete and configure it again while > running tcpdump on the external interface ( or enable isakmpd packet > capture, see the -L switch of isakmpd ). > > This will at least answer the question, whether openBSD attempts to > establish the connection when the tunnel is defined for the first time. > > Regards > > Christoph > > > -----Urspr|ngliche Nachricht----- > > Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] > > Im Auftrag von Chris Bullock > > Gesendet: Dienstag, 17. November 2009 15:45 > > An: misc@openbsd.org > > Betreff: isakmpd will not initiate connection to Cisco ASA > > > > > > We have many tunnels and for some reason I just set up a > > tunnel with a Cisco ASA and we can not initiate the > > connection from the OpenBSD side. If the Cisco side pings a > > device on the OpenBSD side the tunnel comes up. On the Cisco > > side they have bidirectional enabled, and they are not seeing > > the OpenBSD try to initiate the tunnel. Any help would be > > appreciated, Regards, Chris Bullock
