cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


257
Views
0
Helpful
1
Replies
Beginner

Rekeying issue on IPSEC

Good day 

 

I have a ASA 5520 that has a L2L connection to a Palo Alto firewall the user on the PA side is saying that in his logs he sees the connection rekeying every so often.  I check my logs and I think this is what he is talking about:

May 02 2019 09:24:07: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xC59D179F) between 207.126.125.10 and 38.142.65.154 (user= 38.142.65.154) has been created.
May 02 2019 09:24:07: %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xC0C99131) between 207.126.125.10 and 38.142.65.154 (user= 38.142.65.154) has been created.
May 02 2019 09:24:07: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xC6CBA532) between 207.126.125.10 and 38.142.65.154 (user= 38.142.65.154) has been deleted.
May 02 2019 09:24:07: %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xFC76B767)

between 38.142.65.154 and 207.126.125.10 (user= 38.142.65.154) has been deleted.

May 02 2019 09:24:12: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xFBCCD4D6) between 207.126.125.10 and 38.142.65.154 (user= 38.142.65.154) has been created.
May 02 2019 09:24:12: %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xAB1747AD) between 207.126.125.10 and 38.142.65.154 (user= 38.142.65.154) has been created.
May 02 2019 09:24:12: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xC59D179F) between 207.126.125.10 and 38.142.65.154 (user= 38.142.65.154) has been deleted.
May 02 2019 09:24:12: %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xC0C99131) between 38.142.65.154 and 207.126.125.10 (user= 38.142.65.154) has been deleted.

What would be the cause of this?  I check my configs and nothing has changed, this just popped up this week. We installed this connection back in Jan or this year.  He suggest that perhaps I change my traffic selection??  Not sure what that is....anyone has any suggestions?

 

config:

object-group network Seed-Local-host
network-object 10.17.10.0 255.255.255.0

object-group network Seed-Remote-host
network-object 10.50.10.0 255.255.255.128
network-object 10.60.10.0 255.255.255.128
network-object 10.66.0.76 255.255.255.252
network-object 10.50.10.129 255.255.255.255

object-group network Seed-PAT
network-object 10.77.0.112 255.255.255.248

object-group network GW-Seed-Nat
network-object 10.17.10.73 255.255.255.255

object-group network Seed-NAT
network-object 10.77.0.113 255.255.255.255


access-list OUTSIDE_cryptomap_2 extended permit ip object-group Seed-NAT object-group Seed-Remote-host
access-list OUTSIDE_cryptomap_2 extended permit ip object-group Seed-PAT object-group Seed-Remote-host

nat (INSIDE,OUTSIDE) source static GW-Seed-Nat Seed-NAT destination static Seed-Remote-host Seed-Remote-host

crypto ipsec ikev2 ipsec-proposal ikev2-proposal
protocol esp encryption 3des
protocol esp integrity sha-1

crypto map OUTSIDE_map 4 match address OUTSIDE_cryptomap_2
crypto map OUTSIDE_map 4 set peer 38.142.65.154
crypto map OUTSIDE_map 4 set ikev2 ipsec-proposal ikev2-proposal DES 3DES AES AES192 AES256

crypto ikev2 policy 50
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 28800

group-policy SEED internal
group-policy SEED attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev2

tunnel-group 38.142.65.154 type ipsec-l2l
tunnel-group 38.142.65.154 general-attributes
default-group-policy SEED
tunnel-group 38.142.65.154 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

 

Thank you in advance for your help!!

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Re: Rekeying issue on IPSEC

Thank you all for your help but I have fixed the issue, anyone else that has this issue here is the fix:

This only pertains to ASA running version PRE-9.7 and in my case I am connecting to a Palo Alto so 

not sure if this is specific to Palo Alto only or if this is in general.  Now that is over with here is the fix

Because I am running PRE-9.1 ....8.4(7)30 to be exact what needs to be done on the Palo Alto side

is that they need to enable on the IPSEC Tunnel something called "PROXY ID" , don't have specifics on this

but once that was enabled the rekeying every 2 mins issue went away and the connection behaved as it should.  Hope this helps someone in the future....thank you again for your help!!!

1 REPLY 1
Highlighted
Beginner

Re: Rekeying issue on IPSEC

Thank you all for your help but I have fixed the issue, anyone else that has this issue here is the fix:

This only pertains to ASA running version PRE-9.7 and in my case I am connecting to a Palo Alto so 

not sure if this is specific to Palo Alto only or if this is in general.  Now that is over with here is the fix

Because I am running PRE-9.1 ....8.4(7)30 to be exact what needs to be done on the Palo Alto side

is that they need to enable on the IPSEC Tunnel something called "PROXY ID" , don't have specifics on this

but once that was enabled the rekeying every 2 mins issue went away and the connection behaved as it should.  Hope this helps someone in the future....thank you again for your help!!!