Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1418
Views
0
Helpful
4
Replies

Will configuring a new IPSec Tunnel affect a working tunnel?

basheershabazz1
Level 1
Level 1

‎01-09-2020 11:56 AM

We have a ASA 5585 firewall, running version 9.8(2)28 and we saw a strange issue. I configured a new IPsec tunnel, using ikev1. However, our partner was not ready so I configured everything but the PSK. Today, we noticed that an another active was down. The only update to firewall was above mentioned tunnel configuration. On the down active tunnel, both ikev1 and ikev2 were selected (viewing it via asdm). This tunnel was configured with ikev1. We fixed the issue by configuring the PSK on the new tunnel. Once PSK was configured on the new tunnel, the active tunnel came back online. huh? Not sure why that happened, there is not relation between these 2 tunnels as fare as I can see. Has anyone seen strange scenario like this? Please let me know if more info is required for clarity. thanks 

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎01-09-2020 01:02 PM

Hi,
I think it's unlikely, but it depends on what you configured - normally tunnels would share IKEv1/v2 and IPSec Transform Sets.

If there was no interesting traffic being sent over the VPN, when the timers expires the tunnel would be torned down. It could have been a co-incident. When you noticed the tunnel down did you generate traffic to test? This would obviously bring up the tunnel.

HTH
0 Helpful

basheershabazz1
Level 1
Level 1
In response to Rob Ingram

‎01-13-2020 10:36 AM

RJI

We could not send any interesting traffic over the tunnel that was down. However, once we finished the configuration on the new tunnel, which was to add the psk to the tunnel group, the tunnel came up and was able to send interesting traffic.

0 Helpful

Marius Gunnerud
VIP
VIP
In response to basheershabazz1

‎01-13-2020 09:54 PM

If you are able to reproduce the issue, run a debug . We should be able to get a better idea of why it was failing from that.

IKEv1:

debug crypto condition peer x.x.x.x 

debug crypto ikev1 127

debug crypto ipsec sa 127

 

IKEv2

debug crypto condition peer x.x.x.x

debug crypto ikev2 platform 127

debug crypto ikev2 protocol 127

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Marius Gunnerud
VIP
VIP

‎01-09-2020 02:58 PM

This should definately not happen.  I have preconfigured many site to site VPNs without having the issue you have described.  Do you have a backup of the configuration when the issue was happening?

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card