12-26-2018 09:30 PM - edited 02-21-2020 08:36 AM
We noticed that tcp session drops during rekey time it seems like. Even though pings go through during that time.
also rekey happens and random times. asa5506-X connected using vti ipsec tunnel to asa5525-x.
It happens once a day.
lifetime is 24 86400 on both sides. But it seems like rekey happens every 28000 although both sides are configured with 86400. And sh crypto ikev2 sa shows 86400 on both sides
firmware: asa982-lfbff-k8.SPA
logs from when connection drops:
Dec 27 2018 09:58:19: %ASA-4-750003: Local:192.168.8.150:500 Remote:X.X.X.X:500 Username:X.X.X.X IKEv2 Negotiation aborted due to ERROR: Maximum number of retransmissions reached
Dec 27 2018 09:58:19: %ASA-4-752012: IKEv2 was unsuccessful at setting up a tunnel. Map Tag = __vti-crypto-map-11-0-2. Map Sequence Number = 65280.
Dec 27 2018 09:58:19: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= __vti-crypto-map-11-0-2. Map Sequence Number = 65280.
Dec 27 2018 09:58:38: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 14 per second, max configured rate is 10; Current average rate is 19 per second, max configured rate is 5; Cumulative total count is 11633
Dec 27 2018 09:58:45: %ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = __vti-crypto-map-11-0-2. Map Sequence Number = 65280.
Dec 27 2018 09:58:45: %ASA-4-752011: IKEv1 Doesn't have a transform set specified
Dec 27 2018 09:58:45: %ASA-5-750001: Local:192.168.8.150:500 Remote:X.X.X.X:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 192.168.8.150-192.168.8.150 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: X.X.X.X-X.X.X.X Protocol: 0 Port Range: 0-65535
Dec 27 2018 09:59:45: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x73A865C1) between X.X.X.X and X.X.X.X (user= X.X.X.X) has been deleted.
Dec 27 2018 09:59:45: %ASA-4-411002: Line protocol on Interface Tunnel1, changed state to down
Dec 27 2018 09:59:45: %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x204A286B) between X.X.X.X and X.X.X.X (user= X.X.X.X) has been deleted.
Dec 27 2018 09:59:45: %ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = __vti-crypto-map-10-0-1. Map Sequence Number = 65280.
Dec 27 2018 09:59:45: %ASA-4-752011: IKEv1 Doesn't have a transform set specified
Dec 27 2018 09:59:45: %ASA-5-750001: Local:X.X.X.X:500 Remote:X.X.X.X:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: X.X.X.X-X.X.X.X Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: X.X.X.X-X.X.X.X Protocol: 0 Port Range: 0-65535
Dec 27 2018 09:59:45: %ASA-5-752016: IKEv2 was successful at setting up a tunnel. Map Tag = __vti-crypto-map-10-0-1. Map Sequence Number = 65280.
Dec 27 2018 09:59:45: %ASA-5-750007: Local:X.X.X.X:500 Remote:X.X.X.X:500 Username:X.X.X.X IKEv2 SA DOWN. Reason: peer request
Dec 27 2018 09:59:45: %ASA-4-113019: Group = X.X.X.X, Username = X.X.X.X, IP = X.X.X.X, Session disconnected. Session Type: LAN-to-LAN, Duration: 8h:00m:00s, Bytes xmt: 54266954, Bytes rcv: 34249377, Reason: User Requested
Dec 27 2018 09:59:47: %ASA-4-752012: IKEv2 was unsuccessful at setting up a tunnel. Map Tag = __vti-crypto-map-13-0-4. Map Sequence Number = 65280.
Dec 27 2018 09:59:47: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= __vti-crypto-map-13-0-4. Map Sequence Number = 65280.
P.S.
We have mikrotik connected to asa5525-X and session drops never happen there.
Solved! Go to Solution.
12-26-2018 09:43 PM
12-26-2018 09:43 PM
12-26-2018 10:00 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: