cisco CSR deleting old and new phase 2 SA together

ahmad82pkn · ‎05-19-2017

Hi,

I have a VPN built with remote network where far end is CSR router, my end is openswan/strongswan.

(I dont have CSR side logs as of yet (sadly), but I have my side logs ).

What actually happen is after every 8 hours Phase 1 is rekeyed fine.

After that openswan/strongswan rekey Phase 2 and negotiate new Phase 2 with CSR

Everyone happy till now.

After some time I get Old IPSEC SA delete SA from CSR and at same moment I get new Phase 2 delete SA as well. so CSR deletes both old and new IPSEC Phase 2 SA together.

That is how it looks like at my side. See the timing for both delete SA received.

16821. 6688. 2017-05-13T10:32:43.112: "tunnel"[12] x.x.218.65 #701: received Delete SA (0x33d0183a) payload: deleting IPSEC State #700
16822. 6689. 2017-05-13T10:32:43.118 "tunnel"[12] x.x.218.65 #701: received and ignored informational message
16823. 6690. 2017-05-13T10:32:43.118 "tunnel"[12] x.x.218.65 #701: received Delete SA (0x7e2ffb97) payload: deleting IPSEC State #702

at this time VPN Drops and BGP drops as well.

Immediately after that CSR initiate a new Phase 2.

And everyone happy again for 8 hours ( although after every 1 hour phase 2 rekey happens, but this problem only occurs after 8 hours when phase 1 rekey is done properly and first time phase 2 rekey is done then this situation occurs)

16825. 6692. 2017-05-13T10:32:43.131 "tunnel"[12] x.x.218.65 #701: received and ignored informational message
16826. 6693. 2017-05-13T10:32:46.204 "tunnel"[12] x.x.218.65 #701: the peer proposed: 0.0.0.0/0:0/0 -> 0.0.0.0/0:0/0
16827. 6694. 2017-05-13T10:32:46.212 "tunnel"[12] x.x.218.65 #703: responding to Quick Mode proposal {msgid:28db47fb}
16828. 6695. 2017-05-13T10:32:46.212 "tunnel"[12] x.x.218.65 #703: us: 0.0.0.0/0===x.x.5.2[x.x.86.110]---x.x.3.2
16829. 6696. 2017-05-13T10:32:46.212 "tunnel"[12] x.x.218.65 #703: them: x.x.3.2---x.x.218.65[x.x.7.180]===0.0.0.0/0
16830. 6697. 2017-05-13T10:32:46.221 "tunnel"[12] x.x.218.65 #703: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
16831. 6698. 2017-05-13T10:32:46.221 "tunnel"[12] x.x.218.65 #703: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
16832. 6699. 2017-05-13T10:32:46.356 "tunnel"[12] x.x.218.65 #703: Dead Peer Detection (RFC 3706): enabled
16834. 6701. 2017-05-13T10:32:46.356 "tunnel"[12]x.x.218.65 #703: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
16835. 6702. 2017-05-13T10:32:46.362 "tunnel"[12] x.x.218.65 #703: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xbebd4c7c
16836. 6703. 2017-05-13T10:32:52.366| ka_event: send NAT-KA to x.x.218.65:4500 (state=#703)

I have checked CSR configuration, that is configured normal with phase 1 life time 8 hours and phase 2 life time 1 hour.

CSR

show version
Cisco IOS XE Software, Version 16.03.01a
Cisco IOS Software [Denali], CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.3.1a, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Fri 30-Sep-16 02:53 by mcpre

Georg Pauwen · ‎05-19-2017

Hello,

I guess you have already checked the IPSec configurations on both sides for any phase 2 configuration mismatches ?

Can you post the ipsec.conf file, as well as the CSR configuration ?

ahmad82pkn · ‎05-20-2017

I think, I have found the problem , CSR has EEM template that is shutting down tunnel on some ipsec messages, I am asking them to remove that piece of configuration and observe, I Think that is the root cause.

will keep you guys posted :) Have a good weekend.