cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
566
Views
0
Helpful
0
Replies

CSCvh14743 - IKEv2 MOBIKE session with Strongswan/3rd party client fails due to DPD with NAT detection payload.

JMassie
Level 1
Level 1

I am seeing a similar issue in 9.8(3) where the client's SonicWall is sending DPDs but we are not negotiating a MOBIKE session.
Is anyone else familiar with the following scenario?

Peer-1
Cisco ASA 9.8(3)
L2L using IKEv2
DfltGrpPlcy idle timeout 30minutes

Peer-2
SonicWall NSA 4600 -
Firmware: (6.2.6.1-25n)
L2L using IKEv2
Sending constant DPDs to Cisco ASA

----
Issue:
Tunnel passes interesting traffic to one host in the encryption domain, but not the second host, for 30minutes then both SAs drop and 4-5 minutes later a re-key occurs and both SAs re-establish. 
Essentially, even though SA-1 is actively seeing interesting traffic to it's destination, the ASA drops the connection entirely because the SA-2 hasn't had traffic in 30minutes (since it's initialization). 
SYSLOG only records "IKEv2 SA DOWN. Reason: unknown"

Workaround:
The client sends ICMPs to the production host, so I asked them to add another cron job to send them to the test host at the same frequency and the issue stopped occurring. Afterwards, I found the bug in the title (CSCvh14743) which is similar in nature, although it was supposed to be resolved in 9.8(3). 






0 Replies 0