Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
873
Views
0
Helpful
0
Replies

IPsec VPN error|tunnel is down|Maximum concurrent IKE negotiations exceeded|Session is being torn down. Reason: Idle Timeout

Amol_Telore
Level 1
Level 1

‎03-07-2018 09:37 AM - edited ‎03-12-2019 05:05 AM

How to  tshoot the IPsec VPN error , As per the attached syslog the tunnel is down and started receiving the below error continuously.  

------------------------------Syslog--------------------------------------

Mar 7 14:03:09 10.133.12.16 %ASA-5-713049: Group = 62.209.35.109, IP = 62.209.35.109, Security negotiation complete for LAN-to-LAN Group (62.209.35.109) Responder, Inbound SPI = 0x4374bc85, Outbound SPI = 0x6a2e212d
Mar 7 14:03:09 10.133.12.16 %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x4374BC85) between 115.114.148.76 and 62.209.35.109 (user= 62.209.35.109) has been created.
Mar 7 14:03:09 10.133.12.16 %ASA-5-713120: Group = 62.209.35.109, IP = 62.209.35.109, PHASE 2 COMPLETED (msgid=8f1aa1c0)
Mar 7 14:05:08 10.133.12.16 %ASA-6-302016: Teardown UDP connection 3764961 for Outside:62.209.35.109/500 to identity:115.114.148.76/500 duration 0:02:05 bytes 1976
Mar 7 14:23:44 10.133.12.16 %ASA-4-750003: Local:115.114.148.76:500 Remote:62.209.35.109:500 Username:62.209.35.109 Negotiation aborted due to ERROR: Maximum number of retransmissions reached
Mar 7 14:23:44 10.133.12.16 %ASA-5-713041: Group = 62.209.35.109, IP = 62.209.35.109, IKE Initiator: New Phase 2, Intf Outside, IKE Peer 62.209.35.109 local Proxy Address 10.47.136.128, remote Proxy Address 10.47.136.0, Crypto map (CTZmap)
Mar 7 14:26:53 10.133.12.16 %ASA-6-302015: Built inbound UDP connection 3765199 for Outside:62.209.35.109/500 (62.209.35.109/500) to identity:115.114.148.76/500 (115.114.148.76/500)
Mar 7 14:28:54 10.133.12.16 %ASA-6-302016: Teardown UDP connection 3765199 for Outside:62.209.35.109/500 to identity:115.114.148.76/500 duration 0:02:01 bytes 184
Mar 7 14:33:33 10.133.12.16 %ASA-5-713050: Group = 62.209.35.109, IP = 62.209.35.109, Connection terminated for peer 62.209.35.109. Reason: IPSec SA Idle Timeout Remote Proxy 10.47.136.0, Local Proxy 10.47.136.128
Mar 7 14:33:33 10.133.12.16 %ASA-6-302015: Built outbound UDP connection 3765230 for Outside:62.209.35.109/500 (62.209.35.109/500) to identity:115.114.148.76/500 (115.114.148.76/500)
Mar 7 14:33:33 10.133.12.16 %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x6A2E212D) between 115.114.148.76 and 62.209.35.109 (user= 62.209.35.109) has been deleted.
Mar 7 14:33:33 10.133.12.16 %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x4374BC85) between 62.209.35.109 and 115.114.148.76 (user= 62.209.35.109) has been deleted.
Mar 7 14:35:35 10.133.12.16 %ASA-6-302016: Teardown UDP connection 3765230 for Outside:62.209.35.109/500 to identity:115.114.148.76/500 duration 0:02:01 bytes 76
Mar 7 14:40:14 10.133.12.16 %ASA-6-302015: Built inbound UDP connection 3765446 for Outside:62.209.35.109/500 (62.209.35.109/500) to identity:115.114.148.76/500 (115.114.148.76/500)
Mar 7 14:44:20 10.133.12.16 %ASA-6-302016: Teardown UDP connection 3765446 for Outside:62.209.35.109/500 to identity:115.114.148.76/500 duration 0:04:05 bytes 736
Mar 7 16:03:36 10.133.12.16 %ASA-6-302015: Built inbound UDP connection 3766290 for Outside:62.209.35.109/500 (62.209.35.109/500) to identity:115.114.148.76/500 (115.114.148.76/500)
Mar 7 16:05:35 10.133.12.16 %ASA-6-302016: Teardown UDP connection 3766290 for Outside:62.209.35.109/500 to identity:115.114.148.76/500 duration 0:02:02 bytes 184
Mar 7 16:30:41 10.133.12.16 %ASA-6-302016: Teardown UDP connection 3766330 for Outside:62.209.35.109/500 to identity:115.114.148.76/500 duration 0:12:35 bytes 2576
Mar 7 16:48:53 10.133.12.16 %ASA-6-302015: Built inbound UDP connection 3766480 for Outside:62.209.35.109/500 (62.209.35.109/500) to identity:115.114.148.76/500 (115.114.148.76/500)
Mar 7 17:00:30 10.133.12.16 %ASA-6-302015: Built inbound UDP connection 3766531 for Outside:62.209.35.109/500 (62.209.35.109/500) to identity:115.114.148.76/500 (115.114.148.76/500)
Mar 7 17:02:32 10.133.12.16 %ASA-6-302016: Teardown UDP connection 3766531 for Outside:62.209.35.109/500 to identity:115.114.148.76/500 duration 0:02:02 bytes 184
Mar 7 17:37:22 10.133.12.16 %ASA-6-302016: Teardown UDP connection 3766781 for Outside:62.209.35.109/500 to identity:115.114.148.76/500 duration 0:02:02 bytes 184
Mar 7 17:53:43 10.133.12.16 %ASA-6-302015: Built inbound UDP connection 3766866 for Outside:62.209.35.109/500 (62.209.35.109/500) to identity:115.114.148.76/500 (115.114.148.76/500)
Mar 7 17:55:44 10.133.12.16 %ASA-6-302016: Teardown UDP connection 3766866 for Outside:62.209.35.109/500 to identity:115.114.148.76/500 duration 0:02:01 bytes 184
Mar 7 18:57:32 10.133.12.16 %ASA-5-713259: Group = 62.209.35.109, IP = 62.209.35.109, Session is being torn down. Reason: Idle Timeout
Mar 7 18:57:32 10.133.12.16 %ASA-4-113019: Group = 62.209.35.109, Username = 62.209.35.109, IP = 62.209.35.109, Session disconnected. Session Type: LAN-to-LAN, Duration: 4h:54m:29s, Bytes xmt: 2083873, Bytes rcv: 20929301, Reason: Idle Timeout
Mar 7 18:57:32 10.133.12.16 %ASA-5-713050: Group = 62.209.35.109, IP = 62.209.35.109, Connection terminated for peer 62.209.35.109. Reason: IPSec SA Idle Timeout Remote Proxy 10.47.136.128, Local Proxy 10.47.136.0
Mar 7 18:57:32 10.133.12.16 %ASA-6-302015: Built outbound UDP connection 3767208 for Outside:62.209.35.109/500 (62.209.35.109/500) to identity:115.114.148.76/500 (115.114.148.76/500)
Mar 7 18:57:32 10.133.12.16 %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x6A2E2BDF) between 115.114.148.76 and 62.209.35.109 (user= 62.209.35.109) has been deleted.
Mar 7 18:57:32 10.133.12.16 %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xBC85A606) between 62.209.35.109 and 115.114.148.76 (user= 62.209.35.109) has been deleted.
Mar 7 18:57:34 10.133.12.16 %ASA-3-713191: IP = 62.209.35.109, Maximum concurrent IKE negotiations exceeded!
Mar 7 18:57:39 10.133.12.16 %ASA-3-713191: IP = 62.209.35.109, Maximum concurrent IKE negotiations exceeded!
Mar 7 18:57:51 10.133.12.16 %ASA-3-713191: IP = 62.209.35.109, Maximum concurrent IKE negotiations exceeded!
Mar 7 18:58:05 10.133.12.16 %ASA-3-713191: IP = 62.209.35.109, Maximum concurrent IKE negotiations exceeded!
Mar 7 18:58:10 10.133.12.16 %ASA-3-713191: IP = 62.209.35.109, Maximum concurrent IKE negotiations exceeded!
Mar 7 18:58:22 10.133.12.16 %ASA-3-713191: IP = 62.209.35.109, Maximum concurrent IKE negotiations exceeded!
Mar 7 18:58:35 10.133.12.16 %ASA-3-713191: IP = 62.209.35.109, Maximum concurrent IKE negotiations exceeded!
Mar 7 18:58:41 10.133.12.16 %ASA-3-713191: IP = 62.209.35.109, Maximum concurrent IKE negotiations exceeded!
Mar 7 18:58:52 10.133.12.16 %ASA-3-713191: IP = 62.209.35.109, Maximum concurrent IKE negotiations exceeded!
Mar 7 18:59:05 10.133.12.16 %ASA-3-713191: IP = 62.209.35.109, Maximum concurrent IKE negotiations exceeded!

 

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents