AES VPN Issues

  • We are experiencing a load of VPN issues with peers that are using AES.

    The VPN connects normally, the SA’s all look hip, cool and groovy, but when a large data file starts to go across, the VPN drops.

    The symptoms are that the far end connects to an FTP server over a VPN - works fine P1 and P2 negotiate and are happy
    The client does a get, the first 20-30 megs of file come down
    Then the transfer stops
    The VPN appears to be up and the SA’s seem to be valid
    Clear the ike-cookies and the VPN is useable again.

    There is no rekey set after “x” amount of transfer.
    There is plenty of through-put on the link
    If you knock the VPN to 3DES at both ends, the issue goes away.

    At first, we thought that this was a vendor mis-match, as the VPN was peered with a Cisco.
    But, we are now seeing the identical issue with Check Point, Sonic Wall and Watch Guard.

    It’s easy enough to say that it’s the far end, but it’s starting to look like it’s the ISG that’s got the issue.

    Any ideas?

  • Good practical information that this may happen, thank you.
    To be more sure that ISG with this firmware causes that one should try to do AES tunnels between other devices as well, I mean between others except ISG (which is already tried). But that doesn’t help to solve the problem anyway. Perhaps newer firmware does.

  • I should have said:

    The ISG is running 6.3.0r4.0