03-06-2016 09:48 PM - edited 03-12-2019 12:26 AM
Hi support,
Please be inform that we are having issue regarding Site to Site VPN connection in one of our Microsoft Azure partners, and we need your immediate assistance and support. Our site to site VPN connection is currently up, but it keeps on disconnecting. Please see attached logs for your reference.
Thanks,
Solved! Go to Solution.
03-06-2016 09:53 PM
Hi
The error indicates that the phase 2 parameter i.e. access-list / proxy IDs is not matching on both sides.
Can you please enable debugs for this peer and share the outputs along with configuration?
debug crypto condition peer x.x.x.x
debug crypto
debug crypto
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
03-06-2016 09:53 PM
Hi
The error indicates that the phase 2 parameter i.e. access-list / proxy IDs is not matching on both sides.
Can you please enable debugs for this peer and share the outputs along with configuration?
debug crypto condition peer x.x.x.x
debug crypto
debug crypto
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
03-06-2016 10:32 PM
Hi Dinesh,
Currently we are running in a production is there any impact if we do the debug?
03-06-2016 10:35 PM
Hi
It is suggested that we run the debugs in a scheduled window/after hours but since we will run the debugs only for one
Make sure you are not running the debugs directly on console, any SSH or telnet session should be fine.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
03-06-2016 11:09 PM
03-06-2016 11:28 PM
Hi,
Is it a new setup or was it working before
As per the debug ASA gets a delete event from Azure and that leads to the VPN disconnect.
Mar 07 15:01:28 [IKEv1]Group = 13.76.44.235, IP = 13.76.44.235, Connection terminated for peer 13.76.44.235. Reason: Peer Terminate Remote Proxy 172.16.46.0, Local Proxy 192.168.32.236 Mar 07 15:01:28 [IKEv1 DEBUG]Group = 13.76.44.235, IP = 13.76.44.235, IKE got a KEY_ADD msg for SA: SPI = 0x76c85486 Mar 07 15:01:28 [IKEv1 DEBUG]Group = 13.76.44.235, IP = 13.76.44.235, Pitcher: received KEY_UPDATE, spi 0x395321f3 Mar 07 15:01:28 [IKEv1 DEBUG]Group = 13.76.44.235, IP = 13.76.44.235, Active unit receives a delete event for remote peer 13.76.44.235.
Please make sure all the Phase 2 parameters are exactly the same.
Thanks.
Regards,
Aditya
Please rate helpful posts.
03-06-2016 11:33 PM
The Site to Site VPN connection is working however , it keeps on disconnecting after few minutes or after few hours. May I know what to ask with my peer?
03-06-2016 11:40 PM
Can you confirm if they have the correct lifetime settings for phase 1 and phase
Also what do they see in the logs at the time of
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
03-07-2016 01:19 AM
anything I can check from my side with regards to phase 1 and phase 2 IPsec policies?
03-07-2016 03:16 AM
Hi,
I do not think it is an issue with Phase 1 policies.
Regards,
Aditya
Please rate helpful posts.
03-07-2016 03:42 AM
c
03-07-2016 03:48 AM
May I know how to check the life time of the phase 2 tunnel?
03-07-2016 03:51 AM
Hi,
Please check the output of show run crypto and check if you have configured one.
By default it is 28800 seconds, you can check this link:
https://supportforums.cisco.com/document/105381/basic-l2l-configuration-platform-independent-approach#Phase-2_Lifetime_Setting
Regards,
Aditya
03-07-2016 04:35 AM
SSMC-ASA-T1# show crypto ipsec sa
interface: Outside_2
Crypto map tag: Outside_map, seq num: 4, local addr: 202.73.63.131
access-list Outside_2_cryptomap_1 extended permit ip host 192.168.32.235 172.16.46.0 255.255.255.0
local ident (addr/mask/prot/port): (MS019/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.46.0/255.255.255.0/0/0)
current_peer: 13.76.44.235
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 8, #pkts decrypt: 7, #pkts verify: 7
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 1
SSMC-ASA-T1# show run crypto map
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs group5
crypto map Outside_map 1 set peer 203.66.100.228
crypto map Outside_map 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map Outside_map 1 set security-association lifetime seconds 28800
crypto map Outside_map 1 set security-association lifetime kilobytes 4608000
crypto map Outside_map 4 set peer 13.76.44.235
crypto map Outside_map 4 set ikev1 transform-set ESP-AES-256-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside_2
SSMC-ASA-T1# show crypto isakmp sa
IKEv1 SAs:
IKE Peer: 13.76.44.235
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
----------------------------------------------------------------------
show vpn-sessiondb detail l2l
Connection : 13.76.44.235
Index : 28205 IP Addr : 13.76.44.235
Protocol : IKEv1 IPsec
Encryption : IKEv1: (1)AES256 IPsec: (1)AES256
Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1
Bytes Tx : 6774325 Bytes Rx : 13801025
Login Time : 12:55:41 SGT Mon Mar 7 2016
Duration : 7h:35m:41s
IKEv1 Tunnels: 1
IPsec Tunnels: 1
IKEv1:
Tunnel ID : 28205.1
UDP Src Port : 500 UDP Dst Port : 500
IKE Neg Mode : Main Auth Mode : preSharedKeys
Encryption : AES256 Hashing : SHA1
Rekey Int (T): 86400 Seconds Rekey Left(T): 59055 Seconds
D/H Group : 2
Filter Name :
IPsec:
Tunnel ID : 28205.103
Local Addr : 192.168.32.235/255.255.255.255/0/0
Remote Addr : 172.16.46.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 28799 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes
Idle Time Out: 0 Minutes Idle TO Left : 0 Minutes
Bytes Tx : 0 Bytes Rx : 0
Pkts Tx : 0 Pkts Rx : 0
03-07-2016 05:37 AM
Hi,
access-list Outside_2_cryptomap_1 extended permit ip host 192.168.32.235 172.16.46.0 255.255.255.0
Regards,
Aditya
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide