https://community.cisco.com/t5/network-security/tcp-session-drops/m-p/3769322#M8163 <P>I think I see the problem. Due to ipsec lifetime being 28800. But why tcp session will drop though?</P> <P>&nbsp;</P> Thu, 27 Dec 2018 06:00:17 GMT Inkar Bektybayeva 2018-12-27T06:00:17Z https://community.cisco.com/t5/network-security/tcp-session-drops/m-p/3769313#M8161 <P>We noticed that tcp session drops during rekey time it seems like. Even though pings go through during that time. <BR />also rekey happens and random times. asa5506-X connected using vti ipsec tunnel to asa5525-x.<BR />It happens once a day. <BR />lifetime is 24 86400 on both sides. But it seems like rekey happens every 28000 although both sides are configured with 86400. And sh crypto ikev2 sa shows 86400 on both sides<BR />firmware: asa982-lfbff-k8.SPA<BR />logs from when connection drops:<BR />Dec 27 2018 09:58:19: %ASA-4-750003: Local:192.168.8.150:500 Remote:X.X.X.X:500 Username:X.X.X.X IKEv2 Negotiation aborted due to ERROR: Maximum number of retransmissions reached<BR />Dec 27 2018 09:58:19: %ASA-4-752012: IKEv2 was unsuccessful at setting up a tunnel.&nbsp; Map Tag = __vti-crypto-map-11-0-2.&nbsp; Map Sequence Number = 65280.<BR />Dec 27 2018 09:58:19: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA.&nbsp; All configured IKE versions failed to establish the tunnel. Map Tag= __vti-crypto-map-11-0-2.&nbsp; Map Sequence Number = 65280.<BR />Dec 27 2018 09:58:38: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 14 per second, max configured rate is 10; Current average rate is 19 per second, max configured rate is 5; Cumulative total count is 11633<BR />Dec 27 2018 09:58:45: %ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2.&nbsp; Map Tag = __vti-crypto-map-11-0-2.&nbsp; Map Sequence Number = 65280.<BR />Dec 27 2018 09:58:45: %ASA-4-752011: IKEv1 Doesn't have a transform set specified<BR />Dec 27 2018 09:58:45: %ASA-5-750001: Local:192.168.8.150:500 Remote:X.X.X.X:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 192.168.8.150-192.168.8.150 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: X.X.X.X-X.X.X.X Protocol: 0 Port Range: 0-65535<BR />Dec 27 2018 09:59:45: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x73A865C1) between X.X.X.X and X.X.X.X (user= X.X.X.X) has been deleted.<BR />Dec 27 2018 09:59:45: %ASA-4-411002: Line protocol on Interface Tunnel1, changed state to down<BR />Dec 27 2018 09:59:45: %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x204A286B) between X.X.X.X and X.X.X.X (user= X.X.X.X) has been deleted.<BR />Dec 27 2018 09:59:45: %ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2.&nbsp; Map Tag = __vti-crypto-map-10-0-1.&nbsp; Map Sequence Number = 65280.<BR />Dec 27 2018 09:59:45: %ASA-4-752011: IKEv1 Doesn't have a transform set specified<BR />Dec 27 2018 09:59:45: %ASA-5-750001: Local:X.X.X.X:500 Remote:X.X.X.X:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: X.X.X.X-X.X.X.X Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: X.X.X.X-X.X.X.X Protocol: 0 Port Range: 0-65535<BR />Dec 27 2018 09:59:45: %ASA-5-752016: IKEv2 was successful at setting up a tunnel.&nbsp; Map Tag = __vti-crypto-map-10-0-1. Map Sequence Number = 65280.<BR />Dec 27 2018 09:59:45: %ASA-5-750007: Local:X.X.X.X:500 Remote:X.X.X.X:500 Username:X.X.X.X IKEv2 SA DOWN. Reason: peer request<BR />Dec 27 2018 09:59:45: %ASA-4-113019: Group = X.X.X.X, Username = X.X.X.X, IP = X.X.X.X, Session disconnected. Session Type: LAN-to-LAN, Duration: 8h:00m:00s, Bytes xmt: 54266954, Bytes rcv: 34249377, Reason: User Requested<BR />Dec 27 2018 09:59:47: %ASA-4-752012: IKEv2 was unsuccessful at setting up a tunnel.&nbsp; Map Tag = __vti-crypto-map-13-0-4.&nbsp; Map Sequence Number = 65280.<BR />Dec 27 2018 09:59:47: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA.&nbsp; All configured IKE versions failed to establish the tunnel. Map Tag= __vti-crypto-map-13-0-4.&nbsp; Map Sequence Number = 65280.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>P.S.</P> <P>We have mikrotik connected to asa5525-X and session drops never happen there.</P> Fri, 21 Feb 2020 16:36:47 GMT https://community.cisco.com/t5/network-security/tcp-session-drops/m-p/3769313#M8161 Inkar Bektybayeva 2020-02-21T16:36:47Z https://community.cisco.com/t5/network-security/tcp-session-drops/m-p/3769318#M8162 Hi<BR /><BR />Your vpn is teared down and built up right after (quite 2 min).<BR />As your tunnel 1 (vti interface goes down), I'm worried that you're saying icmp goes through but not tcp. <BR />Are you sure the configuration is aligned on both side?<BR />Can you share the output of the following command please:<BR />sh vpn-sessiondb detail l2l <BR /><BR />Also can you run debug ikev2 and ipsec to see what's going on in detail please?<BR /><BR />Does one of these devices building vpn is behind a nat?<BR /> Thu, 27 Dec 2018 05:43:01 GMT https://community.cisco.com/t5/network-security/tcp-session-drops/m-p/3769318#M8162 Francesco Molino 2018-12-27T05:43:01Z https://community.cisco.com/t5/network-security/tcp-session-drops/m-p/3769322#M8163 <P>I think I see the problem. Due to ipsec lifetime being 28800. But why tcp session will drop though?</P> <P>&nbsp;</P> Thu, 27 Dec 2018 06:00:17 GMT https://community.cisco.com/t5/network-security/tcp-session-drops/m-p/3769322#M8163 Inkar Bektybayeva 2018-12-27T06:00:17Z