Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5499
Views
5
Helpful
1
Replies

Rekeying issue on IPSEC

Go to solution
Warren
Level 1
Level 1

‎05-02-2019 07:34 AM

Good day 

 

I have a ASA 5520 that has a L2L connection to a Palo Alto firewall the user on the PA side is saying that in his logs he sees the connection rekeying every so often.  I check my logs and I think this is what he is talking about:

May 02 2019 09:24:07: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xC59D179F) between 207.126.125.10 and 38.142.65.154 (user= 38.142.65.154) has been created.
May 02 2019 09:24:07: %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xC0C99131) between 207.126.125.10 and 38.142.65.154 (user= 38.142.65.154) has been created.
May 02 2019 09:24:07: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xC6CBA532) between 207.126.125.10 and 38.142.65.154 (user= 38.142.65.154) has been deleted.
May 02 2019 09:24:07: %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xFC76B767)

between 38.142.65.154 and 207.126.125.10 (user= 38.142.65.154) has been deleted.

May 02 2019 09:24:12: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xFBCCD4D6) between 207.126.125.10 and 38.142.65.154 (user= 38.142.65.154) has been created.
May 02 2019 09:24:12: %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xAB1747AD) between 207.126.125.10 and 38.142.65.154 (user= 38.142.65.154) has been created.
May 02 2019 09:24:12: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xC59D179F) between 207.126.125.10 and 38.142.65.154 (user= 38.142.65.154) has been deleted.
May 02 2019 09:24:12: %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xC0C99131) between 38.142.65.154 and 207.126.125.10 (user= 38.142.65.154) has been deleted.

What would be the cause of this?  I check my configs and nothing has changed, this just popped up this week. We installed this connection back in Jan or this year.  He suggest that perhaps I change my traffic selection??  Not sure what that is....anyone has any suggestions?

 

config:

object-group network Seed-Local-host
network-object 10.17.10.0 255.255.255.0

object-group network Seed-Remote-host
network-object 10.50.10.0 255.255.255.128
network-object 10.60.10.0 255.255.255.128
network-object 10.66.0.76 255.255.255.252
network-object 10.50.10.129 255.255.255.255

object-group network Seed-PAT
network-object 10.77.0.112 255.255.255.248

object-group network GW-Seed-Nat
network-object 10.17.10.73 255.255.255.255

object-group network Seed-NAT
network-object 10.77.0.113 255.255.255.255


access-list OUTSIDE_cryptomap_2 extended permit ip object-group Seed-NAT object-group Seed-Remote-host
access-list OUTSIDE_cryptomap_2 extended permit ip object-group Seed-PAT object-group Seed-Remote-host

nat (INSIDE,OUTSIDE) source static GW-Seed-Nat Seed-NAT destination static Seed-Remote-host Seed-Remote-host

crypto ipsec ikev2 ipsec-proposal ikev2-proposal
protocol esp encryption 3des
protocol esp integrity sha-1

crypto map OUTSIDE_map 4 match address OUTSIDE_cryptomap_2
crypto map OUTSIDE_map 4 set peer 38.142.65.154
crypto map OUTSIDE_map 4 set ikev2 ipsec-proposal ikev2-proposal DES 3DES AES AES192 AES256

crypto ikev2 policy 50
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 28800

group-policy SEED internal
group-policy SEED attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev2

tunnel-group 38.142.65.154 type ipsec-l2l
tunnel-group 38.142.65.154 general-attributes
default-group-policy SEED
tunnel-group 38.142.65.154 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

 

Thank you in advance for your help!!

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Warren
Level 1
Level 1

‎05-09-2019 06:34 AM

Thank you all for your help but I have fixed the issue, anyone else that has this issue here is the fix:

This only pertains to ASA running version PRE-9.7 and in my case I am connecting to a Palo Alto so 

not sure if this is specific to Palo Alto only or if this is in general.  Now that is over with here is the fix

Because I am running PRE-9.1 ....8.4(7)30 to be exact what needs to be done on the Palo Alto side

is that they need to enable on the IPSEC Tunnel something called "PROXY ID" , don't have specifics on this

but once that was enabled the rekeying every 2 mins issue went away and the connection behaved as it should.  Hope this helps someone in the future....thank you again for your help!!!

View solution in original post

1 Reply 1

Go to solution
Warren
Level 1
Level 1

‎05-09-2019 06:34 AM

Thank you all for your help but I have fixed the issue, anyone else that has this issue here is the fix:

This only pertains to ASA running version PRE-9.7 and in my case I am connecting to a Palo Alto so 

not sure if this is specific to Palo Alto only or if this is in general.  Now that is over with here is the fix

Because I am running PRE-9.1 ....8.4(7)30 to be exact what needs to be done on the Palo Alto side

is that they need to enable on the IPSEC Tunnel something called "PROXY ID" , don't have specifics on this

but once that was enabled the rekeying every 2 mins issue went away and the connection behaved as it should.  Hope this helps someone in the future....thank you again for your help!!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card