04-26-2021 02:41 PM
We have a remote location running a PA-850 that has a site-to-site VPN tunnel built to a FTD 2140. The tunnel initially builds OK, and can run months without any problem. The issue is when the remote location loses power and the PA-850 hard boots. The FTD still shows Phase 1 active and Phase 2 show MM_WAIT_MSG2 or MM_WAIT_MSG4 during renegotiation. My apologies, but I didn't keep the debug messages. If I clear phase 1 sa, the tunnel comes right up.
We migrated to the FTD/FMC in January, and prior to that we had an ASA running ASA firmware. We never had this problem until we moved to the FTD.
Does anyone have an idea as to what I might check out? Thanks
04-26-2021 06:02 PM
Hi
Can you share the output of the following commands:
- sh crypto ikev1 sa
- sh crypto ipsec sa
Also have you validated that configs are still matching on both side?
I understand you haven't saved debug outputs, but is there any possibility you can run them again and share those information?
04-27-2021 06:34 AM
Thanks for the response, Francesco.
The tunnel is currently up, and I've confirmed the configs match on both sides, and I've also confirmed the VPN configs match between the FTD and the old ASA that never had problems.
The 'show crypto' commands and the 'debug crypto' commands all look normal when the tunnel is functioning. The tunnel has absolutely no issues until the remote side loses power. We went from early January through mid April before the first power loss, and the tunnel never once hiccupped during this time period. We've had two power losses this month, and the tunnel didn't come up after either.
I'm pretty sure that once the phase 1 timer expired, it would have renegotiated properly - we may decrease the timers. I'm also pretty certain that if the remote side never loses power, the tunnel won't have any problems. I may have to wait for the VPN to break again and put in the debug results.
05-03-2021 08:50 PM
Can you share your config of tunnel-group?
You should have dpd to tear down the session if the power is gone too long.
What are your timers today?
05-06-2021 11:52 AM
DPD is configured. In the FMC under this site-to-site VPN | Advanced | IKE settings, IKE keepalive is set to enable, threshold is set to 10 seconds, retry interval is set to 2 seconds, Identity is set to autoOrDN, and Peer Identity Validation is Required. Here is the tunnel-group info:
firepower# sh runn | be tunnel-group Peer_IP
tunnel-group Peer_IP type ipsec-l2l
tunnel-group Peer_IP general-attributes
default-group-policy .DefaultS2SGroupPolicy
tunnel-group Peer_IP ipsec-attributes
ikev1 pre-shared-key *****
IKE lifetime has been decreased from 86400 to 3600 seconds, and IPSec lifetime was decreased from 28800 to 1200 seconds. We've not had a recent event, so I'm not sure if this will help.
I did try to add the following with flexconfig, but nothing changed on the CLI:
tunnel-group Peer_IP ipsec-attributes
isakmp keepalive threshold 10 retry 2
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide