05-19-2017 08:17 PM - edited 10-18-2018 02:33 PM
Hi,
I have a VPN built with remote network where far end is CSR router, my end is openswan/strongswan.
(I dont have CSR side logs as of yet (sadly), but I have my side logs ).
What actually happen is after every 8 hours Phase 1 is rekeyed fine.
After that openswan/strongswan rekey Phase 2 and negotiate new Phase 2 with CSR
Everyone happy till now.
After some time I get Old IPSEC SA delete SA from CSR and at same moment I get new Phase 2 delete SA as well. so CSR deletes both old and new IPSEC Phase 2 SA together.
That is how it looks like at my side. See the timing for both delete SA received.
16821. 6688. 2017-05-13T10:32:43.112: "tunnel"[12] x.x.218.65 #701: received Delete SA (0x33d0183a) payload: deleting IPSEC State #700
16822. 6689. 2017-05-13T10:32:43.118 "tunnel"[12] x.x.218.65 #701: received and ignored informational message
16823. 6690. 2017-05-13T10:32:43.118 "tunnel"[12] x.x.218.65 #701: received Delete SA (0x7e2ffb97) payload: deleting IPSEC State #702
at this time VPN Drops and BGP drops as well.
Immediately after that CSR initiate a new Phase 2.
And everyone happy again for 8 hours ( although after every 1 hour phase 2 rekey happens, but this problem only occurs after 8 hours when phase 1 rekey is done properly and first time phase 2 rekey is done then this situation occurs)
16825. 6692. 2017-05-13T10:32:43.131 "tunnel"[12] x.x.218.65 #701: received and ignored informational message
16826. 6693. 2017-05-13T10:32:46.204 "tunnel"[12] x.x.218.65 #701: the peer proposed: 0.0.0.0/0:0/0 -> 0.0.0.0/0:0/0
16827. 6694. 2017-05-13T10:32:46.212 "tunnel"[12] x.x.218.65 #703: responding to Quick Mode proposal {msgid:28db47fb}
16828. 6695. 2017-05-13T10:32:46.212 "tunnel"[12] x.x.218.65 #703: us: 0.0.0.0/0===x.x.5.2[x.x.86.110]---x.x.3.2
16829. 6696. 2017-05-13T10:32:46.212 "tunnel"[12] x.x.218.65 #703: them: x.x.3.2---x.x.218.65[x.x.7.180]===0.0.0.0/0
16830. 6697. 2017-05-13T10:32:46.221 "tunnel"[12] x.x.218.65 #703: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
16831. 6698. 2017-05-13T10:32:46.221 "tunnel"[12] x.x.218.65 #703: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
16832. 6699. 2017-05-13T10:32:46.356 "tunnel"[12] x.x.218.65 #703: Dead Peer Detection (RFC 3706): enabled
16834. 6701. 2017-05-13T10:32:46.356 "tunnel"[12]x.x.218.65 #703: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
16835. 6702. 2017-05-13T10:32:46.362 "tunnel"[12] x.x.218.65 #703: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xbebd4c7c
16836. 6703. 2017-05-13T10:32:52.366| ka_event: send NAT-KA to x.x.218.65:4500 (state=#703)
I have checked CSR configuration, that is configured normal with phase 1 life time 8 hours and phase 2 life time 1 hour.
CSR
show version
Cisco IOS XE Software, Version 16.03.01a
Cisco IOS Software [Denali], CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.3.1a, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Fri 30-Sep-16 02:53 by mcpre
05-19-2017 11:16 PM
Hello,
I guess you have already checked the IPSec configurations on both sides for any phase 2 configuration mismatches ?
Can you post the ipsec.conf file, as well as the CSR configuration ?
05-20-2017 01:15 AM
I think, I have found the problem , CSR has EEM template that is shutting down tunnel on some ipsec messages, I am asking them to remove that piece of configuration and observe, I Think that is the root cause.
will keep you guys posted :) Have a good weekend.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: