Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4867
Views
0
Helpful
2
Replies

Tcp session drops.

Go to solution
i.
Level 1
Level 1

‎12-26-2018 09:30 PM - edited ‎02-21-2020 08:36 AM

We noticed that tcp session drops during rekey time it seems like. Even though pings go through during that time.
also rekey happens and random times. asa5506-X connected using vti ipsec tunnel to asa5525-x.
It happens once a day.
lifetime is 24 86400 on both sides. But it seems like rekey happens every 28000 although both sides are configured with 86400. And sh crypto ikev2 sa shows 86400 on both sides
firmware: asa982-lfbff-k8.SPA
logs from when connection drops:
Dec 27 2018 09:58:19: %ASA-4-750003: Local:192.168.8.150:500 Remote:X.X.X.X:500 Username:X.X.X.X IKEv2 Negotiation aborted due to ERROR: Maximum number of retransmissions reached
Dec 27 2018 09:58:19: %ASA-4-752012: IKEv2 was unsuccessful at setting up a tunnel.  Map Tag = __vti-crypto-map-11-0-2.  Map Sequence Number = 65280.
Dec 27 2018 09:58:19: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA.  All configured IKE versions failed to establish the tunnel. Map Tag= __vti-crypto-map-11-0-2.  Map Sequence Number = 65280.
Dec 27 2018 09:58:38: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 14 per second, max configured rate is 10; Current average rate is 19 per second, max configured rate is 5; Cumulative total count is 11633
Dec 27 2018 09:58:45: %ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2.  Map Tag = __vti-crypto-map-11-0-2.  Map Sequence Number = 65280.
Dec 27 2018 09:58:45: %ASA-4-752011: IKEv1 Doesn't have a transform set specified
Dec 27 2018 09:58:45: %ASA-5-750001: Local:192.168.8.150:500 Remote:X.X.X.X:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 192.168.8.150-192.168.8.150 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: X.X.X.X-X.X.X.X Protocol: 0 Port Range: 0-65535
Dec 27 2018 09:59:45: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x73A865C1) between X.X.X.X and X.X.X.X (user= X.X.X.X) has been deleted.
Dec 27 2018 09:59:45: %ASA-4-411002: Line protocol on Interface Tunnel1, changed state to down
Dec 27 2018 09:59:45: %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x204A286B) between X.X.X.X and X.X.X.X (user= X.X.X.X) has been deleted.
Dec 27 2018 09:59:45: %ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2.  Map Tag = __vti-crypto-map-10-0-1.  Map Sequence Number = 65280.
Dec 27 2018 09:59:45: %ASA-4-752011: IKEv1 Doesn't have a transform set specified
Dec 27 2018 09:59:45: %ASA-5-750001: Local:X.X.X.X:500 Remote:X.X.X.X:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: X.X.X.X-X.X.X.X Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: X.X.X.X-X.X.X.X Protocol: 0 Port Range: 0-65535
Dec 27 2018 09:59:45: %ASA-5-752016: IKEv2 was successful at setting up a tunnel.  Map Tag = __vti-crypto-map-10-0-1. Map Sequence Number = 65280.
Dec 27 2018 09:59:45: %ASA-5-750007: Local:X.X.X.X:500 Remote:X.X.X.X:500 Username:X.X.X.X IKEv2 SA DOWN. Reason: peer request
Dec 27 2018 09:59:45: %ASA-4-113019: Group = X.X.X.X, Username = X.X.X.X, IP = X.X.X.X, Session disconnected. Session Type: LAN-to-LAN, Duration: 8h:00m:00s, Bytes xmt: 54266954, Bytes rcv: 34249377, Reason: User Requested
Dec 27 2018 09:59:47: %ASA-4-752012: IKEv2 was unsuccessful at setting up a tunnel.  Map Tag = __vti-crypto-map-13-0-4.  Map Sequence Number = 65280.
Dec 27 2018 09:59:47: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA.  All configured IKE versions failed to establish the tunnel. Map Tag= __vti-crypto-map-13-0-4.  Map Sequence Number = 65280.

 

 

 

P.S.

We have mikrotik connected to asa5525-X and session drops never happen there.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎12-26-2018 09:43 PM

Hi

Your vpn is teared down and built up right after (quite 2 min).
As your tunnel 1 (vti interface goes down), I'm worried that you're saying icmp goes through but not tcp.
Are you sure the configuration is aligned on both side?
Can you share the output of the following command please:
sh vpn-sessiondb detail l2l

Also can you run debug ikev2 and ipsec to see what's going on in detail please?

Does one of these devices building vpn is behind a nat?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎12-26-2018 09:43 PM

Hi

Your vpn is teared down and built up right after (quite 2 min).
As your tunnel 1 (vti interface goes down), I'm worried that you're saying icmp goes through but not tcp.
Are you sure the configuration is aligned on both side?
Can you share the output of the following command please:
sh vpn-sessiondb detail l2l

Also can you run debug ikev2 and ipsec to see what's going on in detail please?

Does one of these devices building vpn is behind a nat?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
i.
Level 1
Level 1
In response to Francesco Molino

‎12-26-2018 10:00 PM

I think I see the problem. Due to ipsec lifetime being 28800. But why tcp session will drop though?

 

Preview file
2 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card