C1111-4P IKEv2 creating SAs every 30 seconds (there are hundreds!!)

train00wreck · ‎07-04-2024

Working through configuring this wretched device.... firmware 17.9. I have 2 IKEv2 RSA auth site-to-site VPNs using tunnel interfaces to 2 other sites with non-Cisco routers. Everything comes up and is working fine, traffic flows without interruption bidirectionally between all sites. But the Cisco device is creating additional duplicate IPSec security associations every 30 seconds. At the moment "show crypto ipsec sa count" says there are 422 SAs! WTF is going on???? The other sides report no errors at all, only that exactly every 30 seconds the Cisco sends a CREATE_CHILD request. Please let me know what is wrong here... I can post debug output but tbh that's a massive PITA, it was already bad enough sanitizing the config........

Using 8639 out of 33554432 bytes
!
! Last configuration change at 17:54:18 CDT Thu Jul 4 2024 by user
! NVRAM config last updated at 17:54:23 CDT Thu Jul 4 2024 by user
!
version 17.9
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname HOSTNAME
!
boot-start-marker
boot system flash bootflash:packages.conf
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
!
!
aaa session-id common
clock timezone CST -6 0
clock summer-time CDT recurring
!
!
!
!
!
!
!
ip domain lookup recursive
ip domain lookup source-interface GigabitEthernet0/0/0
ip dhcp excluded-address 192.168.192.1 192.168.192.7
!
ip dhcp pool POOL
network 192.168.192.0 255.255.255.128
default-router 192.168.192.1
dns-server 192.168.192.1
!
!
!
login on-success log
ipv6 unicast-routing
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
vtp version 1
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-257109167
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-257109167
revocation-check none
rsakeypair TP-self-signed-257109167
!
crypto pki trustpoint SITEPKI
enrollment terminal
subject-name CN=GW.DOMAIN.co
subject-alt-name GW.DOMAIN.co
revocation-check none
rsakeypair GW
eku request ssh-client ssh-server
!
crypto pki trustpoint SLA-TrustPoint
enrollment terminal
revocation-check crl
!
!
!
crypto pki certificate map SITE1 10
subject-name co SITE1.DOMAIN.CO
!
crypto pki certificate map 1176 10
subject-name co 1176.DOMAIN.co
!
crypto pki certificate chain TP-self-signed-257109167
certificate self-signed 01 nvram:IOS-Self-Sig#2.cer
crypto pki certificate chain SITEPKI
certificate xx
certificate ca xx
crypto pki certificate chain SLA-TrustPoint
certificate ca 01 nvram:CiscoLicensi#1CA.cer
!
crypto pki certificate pool
cabundle nvram:ios_core.p7b
!
!
no license feature hseck9
license udi pid C1111-4P sn xx
license boot level securityk9
license smart transport callhome
memory free low-watermark processor 70177
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
enable secret 9 xx
!
username user secret 8 xx
!
redundancy
mode none
!
crypto ikev2 proposal aes128-sha256-modp2048
encryption aes-cbc-128
integrity sha256
group 14
!
crypto ikev2 policy aes128-sha256-modp2048
match fvrf any
proposal aes128-sha256-modp2048
!
!
crypto ikev2 profile SITE1
match certificate SITE1
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint SITEPKI
lifetime 28800
dpd 300 10 on-demand
!
crypto ikev2 profile 1176
match certificate 1176
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint SITEPKI
lifetime 28800
dpd 300 10 on-demand
!
!
!
vlan internal allocation policy ascending
no cdp run
!
!
class-map type inspect match-any OUT_SELF
match access-group name OUT_SELF
match access-group name OUT_SELF6
class-map type inspect match-any SELF_OUT
match access-group name ALL_ALL
match access-group name SELF_OUT6
class-map type inspect match-any IN_OUT
match access-group name LAN_ALL
match access-group name IN_OUT6
class-map type inspect match-any IN_SELF
match access-group name IN_SELF
match access-group name IN_SELF6
!
policy-map type inspect SELF_OUT
class type inspect SELF_OUT
inspect
class class-default
drop
policy-map type inspect OUT_SELF
class type inspect OUT_SELF
inspect
class class-default
drop
policy-map type inspect IN_SELF
class type inspect IN_SELF
pass
class class-default
drop
policy-map type inspect IN_OUT
class type inspect IN_OUT
inspect
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN_OUT source INSIDE destination OUTSIDE
service-policy type inspect IN_OUT
zone-pair security IN_SELF source INSIDE destination self
service-policy type inspect IN_SELF
zone-pair security OUT_SELF source OUTSIDE destination self
service-policy type inspect OUT_SELF
zone-pair security SELF_IN source self destination INSIDE
service-policy type inspect IN_SELF
zone-pair security SELF_OUT source self destination OUTSIDE
service-policy type inspect SELF_OUT
!
!
!
!
!
!
!
crypto isakmp invalid-spi-recovery
!
crypto ipsec security-association lifetime kilobytes disable
!
crypto ipsec transform-set aes128-sha256 esp-aes esp-sha256-hmac
mode tunnel
!
crypto ipsec profile 1176
set transform-set aes128-sha256
set pfs group14
set ikev2-profile 1176
!
!
crypto ipsec profile SITE1
set transform-set aes128-sha256
set pfs group14
set ikev2-profile SITE1
!
!
!
!
!
!
!
!
!
interface Tunnel1
ip address 10.25.25.1 255.255.255.254
zone-member security INSIDE
keepalive 300 5
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination SITE1IPADDRESS
tunnel protection ipsec profile SITE1
ip virtual-reassembly
!
interface Tunnel2
ip address 10.25.25.2 255.255.255.254
zone-member security INSIDE
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination 1176IPADDRESS
tunnel protection ipsec profile 1176
ip virtual-reassembly
!
interface GigabitEthernet0/0/0
ip address dhcp
ip nat outside
zone-member security OUTSIDE
negotiation auto
ipv6 dhcp client pd hint ::/60
ipv6 dhcp client pd PREFIX
ipv6 dhcp client request vendor
ipv6 address dhcp
ipv6 address autoconfig default
ipv6 enable
ipv6 nd ra suppress
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
switchport mode access
spanning-tree bpdufilter enable
!
interface GigabitEthernet0/1/1
switchport mode access
spanning-tree bpdufilter enable
!
interface GigabitEthernet0/1/2
switchport mode access
spanning-tree bpdufilter enable
!
interface GigabitEthernet0/1/3
switchport access vlan 20
switchport mode access
spanning-tree bpdufilter enable
!
interface Vlan1
ip address 192.168.192.1 255.255.255.128
ip nat inside
zone-member security INSIDE
ipv6 address PREFIX ::1/64
!
interface Vlan20
ip address 192.168.192.253 255.255.255.252
ip nat inside
zone-member security INSIDE
ipv6 address PREFIX ::1:0:0:0:1/64
!
no ip http server
ip http authentication local
no ip http secure-server
ip http client source-interface GigabitEthernet0/0/0
ip forward-protocol nd
ip dns server
ip nat inside source list NAT interface GigabitEthernet0/0/0 overload
ip route 172.16.16.0 255.255.252.0 Tunnel1
ip route 192.168.220.0 255.255.252.0 Tunnel2
ip ssh version 2
!
!
ip access-list standard NAT
10 permit 192.168.192.0 0.0.3.255
!
ip access-list extended ALL_ALL
10 permit ip any any
ip access-list extended IN_SELF
10 permit ip 192.168.192.0 0.0.3.255 any
20 permit udp any eq bootps any
30 permit udp any any eq bootps
40 permit ip 172.16.16.0 0.0.3.255 any
50 permit ip 192.168.220.0 0.0.3.255 any
60 permit esp any any
70 permit udp any any eq isakmp
80 permit udp any any eq non500-isakmp
ip access-list extended LAN_ALL
10 permit ip 192.168.192.0 0.0.3.255 any
ip access-list extended OUT_SELF
10 permit icmp any any
20 permit udp any any eq isakmp
30 permit udp any any eq non500-isakmp
40 permit udp any eq domain any
70 permit udp any eq bootps any
80 permit esp any any
!
!
!
!
!
!
ipv6 access-list IN_OUT6
sequence 10 permit ipv6 any any
!
ipv6 access-list IN_SELF6
sequence 20 permit ipv6 any any
!
ipv6 access-list OUT_SELF6
sequence 10 permit icmp any any
sequence 20 permit udp any any eq isakmp
sequence 30 permit udp any any eq non500-isakmp
sequence 40 permit udp any eq domain any
sequence 50 permit esp any any
sequence 60 permit udp any eq 547 any
!
ipv6 access-list SELF_OUT6
sequence 10 permit ipv6 any any
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
transport input ssh
line vty 5 14
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
sntp server 0.us.pool.ntp.org
sntp source-interface GigabitEthernet0/0/0
!
!
!
!
!
!
end

MHM Cisco World · ‎07-04-2024

OUT-Self self-OUT
add ACL match udp port 500/4500 from tunnel destination to your WAN interface and action must be PASS not inspect
that will solve issue

MHM

train00wreck · ‎07-04-2024

So the OUT_SELF access list already contains "permit udp any any eq isakmp" and "permit udp any any eq non500-isakmp", this should be sufficient I believe? I just tried going to "policy-map type inspect OUT_SELF", then "class type inspect OUT_SELF", then change from inspect to pass. Did not solve the problem. Let me know if i am understanding you properly.

MHM Cisco World · ‎07-04-2024

Both direction

Out to self and self to Out

You need to make acl with action pass

MHM

train00wreck · ‎07-04-2024

Here is the new config, "SELF_OUT" and "SELF_IN" both have only the class-default set to pass. Does not solve the problem.

class-map type inspect match-any OUT_SELF
match access-group name OUT_SELF
match access-group name OUT_SELF6
class-map type inspect match-any IN_OUT
match access-group name LAN_ALL
match access-group name IN_OUT6
class-map type inspect match-any IN_SELF
match access-group name IN_SELF
match access-group name IN_SELF6
!
policy-map type inspect SELF_IN
class class-default
pass
policy-map type inspect SELF_OUT
class class-default
pass
policy-map type inspect OUT_SELF
class type inspect OUT_SELF
pass
class class-default
drop
policy-map type inspect IN_SELF
class type inspect IN_SELF
pass
class class-default
drop
policy-map type inspect IN_OUT
class type inspect IN_OUT
inspect
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN_OUT source INSIDE destination OUTSIDE
service-policy type inspect IN_OUT
zone-pair security IN_SELF source INSIDE destination self
service-policy type inspect IN_SELF
zone-pair security OUT_SELF source OUTSIDE destination self
service-policy type inspect OUT_SELF
zone-pair security SELF_IN source self destination INSIDE
service-policy type inspect SELF_IN
zone-pair security SELF_OUT source self destination OUTSIDE
service-policy type inspect SELF_OUT

MHM Cisco World · ‎07-05-2024

two tunnel interface use two different profile but same tunnel source
I think this is issue here
add new crypto ipsec profile and use it for both tunnel and use keyword ""shared""

do above and check stability of VPN

MHM

train00wreck · ‎07-05-2024

OK but at the moment the IPSec profiles are linked to the IKEv2 profiles, which in turn are linked to the cert maps that match the unique ceritifcate CNs used by each of the other 2 sites. How will 1 IPSec profile work in this situation?

MHM Cisco World · ‎07-05-2024

crypto ikev2 profile SITE1
match certificate SITE1
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint SITEPKI
lifetime 28800
dpd 300 10 on-demand
!
crypto ikev2 profile 1176
match certificate 1176
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint SITEPKI
lifetime 28800
dpd 300 10 on-demand

the trustpoint is same and there is no special authz for each Peer so I think one crypto ikev2 profile need here
then use this ikev2 profile under ipsec profile which then use in both tunnel with ""shared""

MHM

KrustyBanana · ‎05-08-2025

Hi train00wreck,

Were you able to solve this? I am experiencing the same problem.
Cisco firmware 17.15 is initiating a new CHILD_SA every 3-30 seconds.

Thank you.

train00wreck · ‎05-09-2025

Nope, gave up. Talked to TAC about it, they sent me down a wild goose chase of debugging the route-based config I have. I initially thought they had fixed it but within a day the issue came back, I think after rebooting the device it will work for a while, but some event causes it to start recreating the SA over and over. It might be something related to which side initiates the connection, I'm not sure. The tunnels stay up the entire time so I just gave up and stopped caring about it, it makes it a PITA to read logs though.....

KrustyBanana · ‎05-09-2025

Thanks for the update.
I'll let you know if I find anything.

Georg Pauwen · ‎07-05-2024

Hello,

looking at your config, I think the problem is that you are inspecting the IPSec traffic, while you should configure it to 'pass' (and not 'inspect') in your ZBF...

train00wreck · ‎07-05-2024

@Georg Pauwen wrote:
Hello,
looking at your config, I think the problem is that you are inspecting the IPSec traffic, while you should configure it to 'pass' (and not 'inspect') in your ZBF...

Please see my reply above. All zones are set to "pass" except for the IN_OUT zone (which must be "inspect" for the LAN/WAN traffic to get through.) Made no difference to the problem.