02-22-2019 01:54 PM
So I am trying to t-shoot a IPSEC tunnel issue (goes down every now and then) between an ASA and Router. One thing when looking at remote side of router I notice Group numbers don't match such as under the ikev2 proposal config and then under the crypto map config. Don't they both have to be the same? See configs below (had to scrub do to security) in case something seems pretty off, maybe I did not make changes match.
Does anyone see anything incorrect?
crypto ikev2 proposal ikev2-TEST-prop
encryption aes-cbc-256
integrity sha384
group 22
!
crypto ikev2 policy ikev2-TEST-pol
match fvrf TEST_vrf
match address local X.X.X.247
proposal ikev2-TEST-prop
!
crypto ikev2 keyring TEST_Keyring
peer inscom
description TEST
address X.X.X.37
pre-shared-key local <pre-shared-key removed>
pre-shared-key remote <pre-shared-key removed>
!
crypto ikev2 profile X.X.X.ikev2-prof
description TEST profile
match fvrf TEST
match identity remote address X.X.X.37 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local TEST_Keyring
dpd 10 2 on-demand
ivrf TEST_vrf
!
crypto ipsec transform-set TEST_transform-aes esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto map TEST_map local-address Loopback311
crypto map TEST_map 10 ipsec-isakmp
description TEST
set peer X.X.X.37
set transform-set TEST-transform-aes
set pfs group15
set ikev2-profile TEST-ikev2-prof
match address TEST_ACL
!
ip route vrf TEST_vrf 0.0.0.0 0.0.0.0 GigabitEthernet1/0/1.79 X.X.X.10
!
ip access-list extended TEST_ACL
permit ip X.X.X.113.0 0.0.0.64 any
!
interface GigabitEthernet1/0/1.2978
encapsulation dot1Q 79
ip vrf forwarding TEST
ip address X.X.X.14 255.255.255.248
crypto map TEST_map
!
interface GigabitEthernet1/0/0.52
encapsulation dot1Q 251
ip vrf forwarding TEST_vrf
ip address X.X.X.6 255.255.255.248
ip mtu 1376
ip tcp adjust-mss 1336
!
interface Loopback311
description TEST loopback
ip vrf forwarding TEST_vrf
ip address X.X.X.246 255.255.255.255
02-22-2019 02:24 PM - edited 02-23-2019 03:51 AM
Hi,
Yes the group's do need to match on both peer devices for the ikev2 proposal and the pfs group under the crypto map. If they do not match the tunnel will not come up.
EDIT: To clarify my above comment, which after re-reading may not be clear. The IKEv2 Proposal DH group on both devices (ASA and Router) must be the same in order for IKEv2 SA to be established. The PFS group must be the same on both devices (ASA and router) for PFS to work. The IKEv2 Proposal and PFS Group could be different as long as the peer device is configured the same....but you are unlikely to configure different groups, because why would you want to use a potentially weaker cipher. I use this Cisco post to identify which algorithms to use, DH groups 19, 14 and 21 are preferred (by cisco) nowadays.
HTH
02-22-2019 02:26 PM - edited 02-22-2019 02:27 PM
Hello,
try and change the DH and PFS groups as below (marked in bold). The ASA groups need to match, obviously.
Also, to be sure, check the NTP settings on both devices and make sure the clocks match...
If possible, post the ASA config as well...
crypto ikev2 proposal ikev2-TEST-prop
encryption aes-cbc-256
integrity sha384
group 5 2 14
!
crypto ikev2 policy ikev2-TEST-pol
match fvrf TEST_vrf
match address local X.X.X.247
proposal ikev2-TEST-prop
!
crypto ikev2 keyring TEST_Keyring
peer inscom
description TEST
address X.X.X.37
pre-shared-key local <pre-shared-key removed>
pre-shared-key remote <pre-shared-key removed>
!
crypto ikev2 profile X.X.X.ikev2-prof
description TEST profile
match fvrf TEST
match identity remote address X.X.X.37 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local TEST_Keyring
dpd 10 2 on-demand
ivrf TEST_vrf
!
crypto ipsec transform-set TEST_transform-aes esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto map TEST_map local-address Loopback311
crypto map TEST_map 10 ipsec-isakmp
description TEST
set peer X.X.X.37
set transform-set TEST-transform-aes
set pfs group2
set ikev2-profile TEST-ikev2-prof
match address TEST_ACL
!
ip route vrf TEST_vrf 0.0.0.0 0.0.0.0 GigabitEthernet1/0/1.79 X.X.X.10
!
ip access-list extended TEST_ACL
permit ip X.X.X.113.0 0.0.0.64 any
!
interface GigabitEthernet1/0/1.2978
encapsulation dot1Q 79
ip vrf forwarding TEST
ip address X.X.X.14 255.255.255.248
crypto map TEST_map
!
interface GigabitEthernet1/0/0.52
encapsulation dot1Q 251
ip vrf forwarding TEST_vrf
ip address X.X.X.6 255.255.255.248
ip mtu 1376
ip tcp adjust-mss 1336
!
interface Loopback311
description TEST loopback
ip vrf forwarding TEST_vrf
ip address X.X.X.246 255.255.255.255
02-23-2019 12:13 AM - edited 02-23-2019 12:26 AM
Hi,
Ikev2 is giving you the flexibility to add multiple parameters as a group under the single proposal. As below:
crypto ikev2 proposal ikev2-TEST-prop encryption aes-cbc-256 integrity sha384 group 22 14 12
This is not compulsory having Phase1 DH group and PF group to be the same. Both are having different aim and purpose in the configuration. But both configuration must be some devices.
Regards,
Deepak Kumar
02-23-2019 06:47 AM - edited 02-23-2019 06:52 AM
Hello
just like to add- Thr problem doesn’t seem the establishment of the isakmp-IPSec sa’s it’s sounds like an intermittent issue correct?
Areyou sure this isnt a physical issue regards the connectivity between the asa and rtr ?
That said possibly suggest to check also any IPSec idle timeout values being set or not
02-24-2019 02:08 PM
02-24-2019 09:18 PM
Hi,
As you say that "I am able to get it back up by simply refreshing/bouncing the connection."
Then I am assuming that there is DPD or Phase1 timer (lifetime) mismatch error. Have you verified that same? Phase1 lifetime must be higher than Phase 2.
Regards,
Deepak Kumar
02-25-2019 06:53 AM - edited 02-25-2019 07:28 AM
I can see lifetime values ( sa timing: remaining key lifetime (kB/sec): (1519895/23928) from sh crypto ipsec sa
and
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
from sh running-config all | include crypto
This output does not specify which tunnel this applies to so I assume it is globally applied to all?
When I look at "Session Details" from ASMD, I see Rekey Time Interval: 86400 seconds for IKEv2
and 28800 for IPSEC this is it correct?
Also I don't see how to verify DPD on ASA if it is supported? Having difficulty looking this up.
The below output is what I have as well.
ASA#sh running-config all | include isakmp
object service udp-isakmp pre-defined
service udp destination eq isakmp
service-object udp destination eq isakmp
service-object udp destination eq isakmp
service-object udp destination eq isakmp
service-object udp destination eq isakmp
service-object udp destination eq isakmp
service-object udp destination eq isakmp
service-object udp destination eq isakmp
service-object udp destination eq isakmp
service-object udp destination eq isakmp
service-object udp destination eq isakmp
service-object udp destination eq isakmp
service-object udp destination eq isakmp
service-object udp destination eq isakmp
service-object udp destination eq isakmp
service-object udp destination eq isakmp
crypto isakmp identity address
crypto isakmp nat-traversal 10
isakmp keepalive threshold 10 retry 2
isakmp keepalive threshold 300 retry 2
isakmp keepalive threshold 300 retry 2
isakmp keepalive threshold 10 retry 2
isakmp keepalive threshold 10 retry 2
isakmp keepalive threshold 10 retry 2
isakmp keepalive threshold 3600 retry 2
and
ASA# sh running-config all | include ipsec
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
02-25-2019 08:31 AM
02-25-2019 07:16 PM - edited 02-25-2019 07:17 PM
Good question I don't know. There are multiple IPSEC VPNs on this ASA, however there should only be 1 "isakmp keepalive threshold X retry X" statement and " service-object udp destination eq isakmp" statement correct?
02-25-2019 08:43 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: