Tuesday, May 13, 2008

VPN: Clearing IPSEC Tunnels

As per the IPSEC Checklist and Best Practices, whenever changes are going to be done to live IPSEC tunnels, it is a good practice to turn off the tunnels.

Cisco IOS Router:
clear crypto isakmp []
clear crypto sa entry

Cisco PIX 6.X / 7.X:
clear crypto isakmp sa
clear crypto ipsec sa

VPN Concentrator 3000:
Administration --> Administer Sessions --> Logout link of tunnel

PIX / ASA: %PIX|ASA-6-302014: Teardown TCP connection

%PIXASA-6-302014: Teardown TCP connection id for interface:real-address/real-port to interface:real-address/real-port duration hh:mm:ss bytes bytes [reason] [(user)]

Explanation: A TCP connection between two hosts was deleted. The following list describes the message values:
  • connection id is an unique identifier.
  • interface, real-address, real-port identify the actual sockets.
  • duration is the lifetime of the connection.
  • bytes bytes is the data transfer of the connection.
  • user is the AAA name of the user.
The reason variable presents the action that causes the connection to terminate.

Connection ended because it was idle longer than the configured idle timeout.

Deny Termiate
Flow was terminated by application inspection.

Failover primary closed
The standby unit in a failover pair deleted a connection because of a message received from the active unit.

FIN Timeout
Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.

Flow closed by inspection
Flow was terminated by inspection feature.

Flow terminated by IPS
Flow was terminated by IPS.

Flow reset by IPS
Flow was reset by IPS.

Flow terminated by TCP Intercept
Flow was terminated by TCP Intercept.

Invalid SYN
SYN packet not valid.

Idle Timeout
Connection timed out because it was idle longer than timeout value.

IPS fail-close
Flow was terminated due to IPS card down.

SYN Control
Back channel initiation from wrong side.

SYN Timeout
Force termination after 30 seconds awaiting three-way handshake completion.

TCP bad retransmission
Connection terminated because of bad TCP retransmission.

Normal close down sequence.

TCP Invalid SYN
Invalid TCP SYN packet.

TCP Reset-I
Reset was from the inside.

TCP Reset-O
Reset was from the outside.

TCP segment partial overlap
Detected a partially overlapping segment.

TCP unexpected window size variation
Connection terminated due to variation in the TCP window size.

Tunnel has been torn down
Flow terminated because tunnel is down.

Unauth Deny
Denied by URL filter.

Catch-all error.

Xlate Clear
Command-line removal

Other Notes:
The "inside" in TCP RESET-I refers to the more secure interface (i.e., interface with higher security level). Consequently, "outside" in TCP RESET-O refers to the less secure interface (i.e., interface with lower security level).

This is useful indetermining the source of the TCP session disconnection. That is, on which interface the disconnection was received from. Usually, it is actually the host on the interface itself that tears down the connection (could be due to failed authentication). Whatever the case, you have narrowed down the cause of the error.

The other reasons are pretty straightforward.

PIX 7.2: SYSLOG 302014