I Currently have a Cisco 2911/K9 router with about 110 IKEv2 site-to-site tunnels configured. About 98% of them work seamlessly, however we have about 3 clients that we continue to have intermittent issues with. I have setup debugs and embedded captures with Cisco TAC but the root cause always seems to be unknown. With the few clients we are having the problems with, I have verified all phase1 and phase2 setting match identical. Two of the clients are using ASA's and the other is using Check Point. One specific client is using an ASA and his side of the tunnel will occasionally go down, however when I go to look at the tunnel, my side will show UP-ACTIVE. We use PSK for authentication with all clients, phase1 we are using AES-256, SHA-256, DH-14 24hr lifetime, phase2 we are using ESP, AES-256, SHA-256, lifetime 1 hour, no PFS.
Please ask any questions, I'll be happy to provide any information.
I am interested in this part of the original post
One specific client is using an ASA and his side of the tunnel will occasionally go down, however when I go to look at the tunnel, my side will show UP-ACTIVE.
what commands are you using to see this? Can you post that output? If you execute the command(s), wait a bit, and execute again does the output change?
Francesco, I will try to get the client to do a capture/debug, however sometimes the clients aren't always the most cooperative.