05-02-2019 07:34 AM
Good day
I have a ASA 5520 that has a L2L connection to a Palo Alto firewall the user on the PA side is saying that in his logs he sees the connection rekeying every so often. I check my logs and I think this is what he is talking about:
May 02 2019 09:24:07: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xC59D179F) between 207.126.125.10 and 38.142.65.154 (user= 38.142.65.154) has been created.
May 02 2019 09:24:07: %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xC0C99131) between 207.126.125.10 and 38.142.65.154 (user= 38.142.65.154) has been created.
May 02 2019 09:24:07: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xC6CBA532) between 207.126.125.10 and 38.142.65.154 (user= 38.142.65.154) has been deleted.
May 02 2019 09:24:07: %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xFC76B767)
between 38.142.65.154 and 207.126.125.10 (user= 38.142.65.154) has been deleted.
May 02 2019 09:24:12: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xFBCCD4D6) between 207.126.125.10 and 38.142.65.154 (user= 38.142.65.154) has been created.
May 02 2019 09:24:12: %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xAB1747AD) between 207.126.125.10 and 38.142.65.154 (user= 38.142.65.154) has been created.
May 02 2019 09:24:12: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xC59D179F) between 207.126.125.10 and 38.142.65.154 (user= 38.142.65.154) has been deleted.
May 02 2019 09:24:12: %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xC0C99131) between 38.142.65.154 and 207.126.125.10 (user= 38.142.65.154) has been deleted.
What would be the cause of this? I check my configs and nothing has changed, this just popped up this week. We installed this connection back in Jan or this year. He suggest that perhaps I change my traffic selection?? Not sure what that is....anyone has any suggestions?
config:
object-group network Seed-Local-host
network-object 10.17.10.0 255.255.255.0
object-group network Seed-Remote-host
network-object 10.50.10.0 255.255.255.128
network-object 10.60.10.0 255.255.255.128
network-object 10.66.0.76 255.255.255.252
network-object 10.50.10.129 255.255.255.255
object-group network Seed-PAT
network-object 10.77.0.112 255.255.255.248
object-group network GW-Seed-Nat
network-object 10.17.10.73 255.255.255.255
object-group network Seed-NAT
network-object 10.77.0.113 255.255.255.255
access-list OUTSIDE_cryptomap_2 extended permit ip object-group Seed-NAT object-group Seed-Remote-host
access-list OUTSIDE_cryptomap_2 extended permit ip object-group Seed-PAT object-group Seed-Remote-host
nat (INSIDE,OUTSIDE) source static GW-Seed-Nat Seed-NAT destination static Seed-Remote-host Seed-Remote-host
crypto ipsec ikev2 ipsec-proposal ikev2-proposal
protocol esp encryption 3des
protocol esp integrity sha-1
crypto map OUTSIDE_map 4 match address OUTSIDE_cryptomap_2
crypto map OUTSIDE_map 4 set peer 38.142.65.154
crypto map OUTSIDE_map 4 set ikev2 ipsec-proposal ikev2-proposal DES 3DES AES AES192 AES256
crypto ikev2 policy 50
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 28800
group-policy SEED internal
group-policy SEED attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev2
tunnel-group 38.142.65.154 type ipsec-l2l
tunnel-group 38.142.65.154 general-attributes
default-group-policy SEED
tunnel-group 38.142.65.154 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
Thank you in advance for your help!!
Solved! Go to Solution.
05-09-2019 06:34 AM
Thank you all for your help but I have fixed the issue, anyone else that has this issue here is the fix:
This only pertains to ASA running version PRE-9.7 and in my case I am connecting to a Palo Alto so
not sure if this is specific to Palo Alto only or if this is in general. Now that is over with here is the fix
Because I am running PRE-9.1 ....8.4(7)30 to be exact what needs to be done on the Palo Alto side
is that they need to enable on the IPSEC Tunnel something called "PROXY ID" , don't have specifics on this
but once that was enabled the rekeying every 2 mins issue went away and the connection behaved as it should. Hope this helps someone in the future....thank you again for your help!!!
05-09-2019 06:34 AM
Thank you all for your help but I have fixed the issue, anyone else that has this issue here is the fix:
This only pertains to ASA running version PRE-9.7 and in my case I am connecting to a Palo Alto so
not sure if this is specific to Palo Alto only or if this is in general. Now that is over with here is the fix
Because I am running PRE-9.1 ....8.4(7)30 to be exact what needs to be done on the Palo Alto side
is that they need to enable on the IPSEC Tunnel something called "PROXY ID" , don't have specifics on this
but once that was enabled the rekeying every 2 mins issue went away and the connection behaved as it should. Hope this helps someone in the future....thank you again for your help!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide