Hi Dinesh,

Currently we are running in a production is there any impact if we do the debug?

Hi jmdelavirgen,

It is suggested that we run the debugs in a scheduled window/after hours but since we will run the debugs only for one tunnel , it should not affect the operation of ASA.

Make sure you are not running the debugs directly on console, any SSH or telnet session should be fine.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

 Please see crypto IPsec sa  and debug results

Hi,

Is it a new setup or was it working before fine ?

As per the debug ASA gets a delete event from Azure and that leads to the VPN disconnect.

Mar 07 15:01:28 [IKEv1]Group = 13.76.44.235, IP = 13.76.44.235, Connection terminated for peer 13.76.44.235.  Reason: Peer Terminate  Remote Proxy 172.16.46.0, Local Proxy 192.168.32.236
Mar 07 15:01:28 [IKEv1 DEBUG]Group = 13.76.44.235, IP = 13.76.44.235, IKE got a KEY_ADD msg for SA: SPI = 0x76c85486
Mar 07 15:01:28 [IKEv1 DEBUG]Group = 13.76.44.235, IP = 13.76.44.235, Pitcher: received KEY_UPDATE, spi 0x395321f3
Mar 07 15:01:28 [IKEv1 DEBUG]Group = 13.76.44.235, IP = 13.76.44.235, Active unit receives a delete event for remote peer 13.76.44.235.

Please make sure all the Phase 2 parameters are exactly the same.

Also I see only 1 receive error for this tunnel and as already mentioned we need to check the remote end.

Thanks.

Regards,

Aditya

Please rate helpful posts.

The Site to Site VPN connection is working however , it keeps on disconnecting after few minutes or after few hours. May I know what to ask with my peer?

Can you confirm if they have the correct lifetime settings for phase 1 and phase 2 ?

Also what do they see in the logs at the time of discconnect and confirm the phase 2 parameters like access-list is matching on both sides. 

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

anything I can check from my side with regards to phase 1 and phase 2 IPsec policies?

Hi,

I do not think it is an issue with Phase 1 policies.

However you can check the Phase 2 policies like crypto ACL (i.e. the interesting traffic) it should be the mirror replica of each other.

Also check the life time of the Phase 2 tunnel at your end and make sure we match it with the MS AZURE.

Regards,

Aditya

Please rate helpful posts.

c

May I know how to check the life time of the phase 2 tunnel?

Hi,

Please check the output of show run crypto and check if you have configured one.

By default it is 28800 seconds, you can check this link:

https://supportforums.cisco.com/document/105381/basic-l2l-configuration-platform-independent-approach#Phase-2_Lifetime_Setting

Regards,

Aditya

SSMC-ASA-T1# show crypto ipsec sa
interface: Outside_2
    Crypto map tag: Outside_map, seq num: 4, local addr: 202.73.63.131

      access-list Outside_2_cryptomap_1 extended permit ip host 192.168.32.235 172.16.46.0 255.255.255.0
      local ident (addr/mask/prot/port): (MS019/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (172.16.46.0/255.255.255.0/0/0)
      current_peer: 13.76.44.235

      #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
      #pkts decaps: 8, #pkts decrypt: 7, #pkts verify: 7
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 1

SSMC-ASA-T1# show run crypto map
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs group5
crypto map Outside_map 1 set peer 203.66.100.228
crypto map Outside_map 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map Outside_map 1 set security-association lifetime seconds 28800
crypto map Outside_map 1 set security-association lifetime kilobytes 4608000
crypto map Outside_map 4 set peer 13.76.44.235
crypto map Outside_map 4 set ikev1 transform-set ESP-AES-256-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside_2

SSMC-ASA-T1# show crypto isakmp sa

IKEv1 SAs:

     IKE Peer: 13.76.44.235
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

----------------------------------------------------------------------

show vpn-sessiondb detail l2l

Connection   : 13.76.44.235
Index        : 28205                  IP Addr      : 13.76.44.235
Protocol     : IKEv1 IPsec
Encryption   : IKEv1: (1)AES256  IPsec: (1)AES256
Hashing      : IKEv1: (1)SHA1  IPsec: (1)SHA1
Bytes Tx     : 6774325                Bytes Rx     : 13801025
Login Time   : 12:55:41 SGT Mon Mar 7 2016
Duration     : 7h:35m:41s

IKEv1 Tunnels: 1
IPsec Tunnels: 1

IKEv1:
  Tunnel ID    : 28205.1
  UDP Src Port : 500                    UDP Dst Port : 500
  IKE Neg Mode : Main                   Auth Mode    : preSharedKeys
  Encryption   : AES256                 Hashing      : SHA1
  Rekey Int (T): 86400 Seconds          Rekey Left(T): 59055 Seconds
  D/H Group    : 2
  Filter Name  :

IPsec:
  Tunnel ID    : 28205.103
  Local Addr   : 192.168.32.235/255.255.255.255/0/0
  Remote Addr  : 172.16.46.0/255.255.255.0/0/0
  Encryption   : AES256                 Hashing      : SHA1
  Encapsulation: Tunnel
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28799 Seconds
  Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4608000 K-Bytes
  Idle Time Out: 0 Minutes              Idle TO Left : 0 Minutes
  Bytes Tx     : 0                      Bytes Rx     : 0
  Pkts Tx      : 0                      Pkts Rx      : 0

Hi,

Yes the tunnel config looks fine.

Also make sure the crypto ACL is reverse at the MS AZURE end:

access-list Outside_2_cryptomap_1 extended permit ip host 192.168.32.235 172.16.46.0 255.255.255.0

Regards,

Aditya