Win2K3sp1 Server: IPSec tunnel drops out for some reason, pls help

Hello, we have an IPSec tunnel from a Cisco PIX -to- the endpoint, a
Win2k3sp1 Server. We use pre-shared keys. The Windows server is behind
a PIX of our own, and l2tp pass-though is enabled.
Connections can be made successfully and it is working, on the whole.
Our problem is, once in a while, the tunnel will fail, and the only
this that shows up in the log is this:
-*-*-*-
From: Security Log (on Windows server)
Source: Security
Event ID: 547


IKE security association negotiation failed.
Mode:
Data Protection Mode (Quick Mode)

Filter:
Source IP Address 172.16.34.0
Source IP Address Mask 255.0.0.0
Destination IP Address 10.0.0.0
Destination IP Address Mask 255.255.255.0
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 192.168.0.33
IKE Peer Addr 206.171.x.x
IKE Source Port 4500
IKE Destination Port 4500
Peer Private Addr

Peer Identity:
Preshared key ID.
Peer IP Address: 206.171.x.x

Failure Point:
Me

Failure Reason:
IKE SA deleted by peer before establishment completed
Negotiation timed out

Extra Status:
Processed Quick Mode payload
Responder. Delta Time 39
0x0 0x0


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-*-*-*-

Any help is VERY much appreciated!!

-Mike

Also this error:

-*-*-*-
IKE security association negotiation failed.
Mode:
Data Protection Mode (Quick Mode)

Filter:
Source IP Address 172.16.34.0
Source IP Address Mask 255.0.0.0
Destination IP Address 10.0.0.0
Destination IP Address Mask 255.255.255.0
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 192.168.0.33
IKE Peer Addr 206.171.160.1
IKE Source Port 4500
IKE Destination Port 4500
Peer Private Addr

Peer Identity:
Preshared key ID.
Peer IP Address: 206.171.160.1

Failure Point:
Me

Failure Reason:
Negotiation timed out

Extra Status:
Processed Quick Mode payload
Responder. Delta Time 62
0x0 0x0


For more information, see Help and Support Center at
-*-*-*-

Again, any help is much appreciated!!
-Mike

Are all clients on the Source side of things on the 172.16.34.x subnet or
are they on a 172.x.x.x subnet?

psg

"ponga" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Also this error:
>
> -*-*-*-
> IKE security association negotiation failed.
> Mode:
> Data Protection Mode (Quick Mode)
>
> Filter:
> Source IP Address 172.16.34.0
> Source IP Address Mask 255.0.0.0
> Destination IP Address 10.0.0.0
> Destination IP Address Mask 255.255.255.0
> Protocol 0
> Source Port 0
> Destination Port 0
> IKE Local Addr 192.168.0.33
> IKE Peer Addr 206.171.160.1
> IKE Source Port 4500
> IKE Destination Port 4500
> Peer Private Addr
>
> Peer Identity:
> Preshared key ID.
> Peer IP Address: 206.171.160.1
>
> Failure Point:
> Me
>
> Failure Reason:
> Negotiation timed out
>
> Extra Status:
> Processed Quick Mode payload
> Responder. Delta Time 62
> 0x0 0x0
>
>
> For more information, see Help and Support Center at
> -*-*-*-
>
> Again, any help is much appreciated!!
> -Mike
>

No, the 172.16.34.0\24 network is the IP the vpn endpoint uses. Thus,
the tunnel is requested from the Internet to our outside address, then
the PIX does NAT magic and forwards it to 192.168.0.33. Once that's up
- The remote side can talk to 172.16.34.x via the tunnel. The source
(remote) is whatever, 10.x.x.x - they have a PIX that forwards requests
for 172.16.34.x through the tunnel.

Although looking at this error again... it does appear that were are
trying to get traffic BACK to them... and then it fails. Interesting..
I just dont understand this error at all. Can anyone shed some light??


-Mike