cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
973
Views
0
Helpful
6
Replies

IKEv2 Site to Site Tunnel issues Cisco 2911/K9

sgalarza
Level 1
Level 1

Hello,

I Currently have a Cisco 2911/K9 router with about 110 IKEv2 site-to-site tunnels configured.  About 98% of them work seamlessly, however we have about 3 clients that we continue to have intermittent issues with.  I have setup debugs and embedded captures with Cisco TAC but the root cause always seems to be unknown.  With the few clients we are having the problems with, I have verified all phase1 and phase2 setting match identical.  Two of the clients are using ASA's and the other is using Check Point.  One specific client is using an ASA and his side of the tunnel will occasionally go down, however when I go to look at the tunnel, my side will show UP-ACTIVE.  We use PSK for authentication with all clients, phase1 we are using AES-256, SHA-256, DH-14 24hr lifetime, phase2 we are using ESP, AES-256, SHA-256, lifetime 1 hour, no PFS.

 

Please ask any questions, I'll be happy to provide any information.

 

Thanks

6 Replies 6

Francesco Molino
VIP Alumni
VIP Alumni
Hi

Do you have debugs and capture to share when the connection is dropping and coming back up?
Issues you're having are only with customers using a firewall on their end?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

I am interested in this part of the original post

  One specific client is using an ASA and his side of the tunnel will occasionally go down, however when I go to look at the tunnel, my side will show UP-ACTIVE.

what commands are you using to see this? Can you post that output? If you execute the command(s), wait a bit, and execute again does the output change?

 

HTH

 

Rick

 

HTH

Rick

Hey Richard,

 

The command I'm using is "sh crypto ses rem X.X.X.X det", output is attached.  It doesn't change if you are refering to the port that the tunnel is being built on.

 

Francesco, I have attached a debug from last week 7/16/2019, just about all of our clients use some form of firewall from various vendors.  

 

Thanks,

Steve

When you captured this debug, did you had a chance to do the same on the other end? I do see a lot of retransmission and it would be interesting to see what's happening on the other side. Can you do such captures next time it goes down meaning capture on both sides? And please leave the debug running until the connection comes back up.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Francesco, I will try to get the client to do a capture/debug, however sometimes the clients aren't always the most cooperative. 

 

Thanks,

Steve

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: