09-18-2019 05:23 PM
Sep 18 2019 03:53:36: %ASA-5-750007: Local:x.x.x.x:500 Remote:x.x.x.x:500 Username:x.x.x.x IKEv2 SA DOWN. Reason: unknown
Sep 18 2019 03:53:36: %ASA-4-113019: Group = x.x.x.x, Username = x.x.x.x, IP = x.x.x.x, Session disconnected. Session Type: LAN-to-LAN, Duration: 1h:02m:47s, Bytes xmt: 227326, Bytes rcv: 284076, Reason: Internal Error
Sep 18 2019 03:54:01: %ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = CRYPTO-MAP. Map Sequence Number = 1.
Between Sept 1 and Sept 18 this error has appeared 135 times and the VPN tunnel has reestablished back in a few seconds.
Cisco Adaptive Security Appliance Software Version 9.8(2) Firepower Extensible Operating System Version 2.2(2.52) Device Manager Version 7.8(2) Compiled on Sun 27-Aug-17 13:06 PDT by builders System image file is "disk0:/asa982-lfbff-k8.SPA" Config file at boot was "startup-config" NC-ASA up 195 days 23 hours Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) Internal ATA Compact Flash, 8000MB BIOS Flash M25P64 @ 0xfed01000, 16384KB
Please help ASAP. site is facing many issues because of this.
Thanks
09-18-2019 08:15 PM
09-18-2019 10:10 PM
Hi Francesco
Otherwise is a ASA 5506 too. Running 9.6.1
and since we have this happening in random times I didn't run any debug platform or protocols yet.
Which debug do you suggest ? And is there any bug ? Plz help.
Thanks
09-19-2019 06:19 AM
Can you provide (as attachment) the "show tech" output from both ASAs (i.e. both ends of the VPN)?
09-19-2019 06:51 AM - edited 09-19-2019 05:32 PM
The issue is , the VPN tunnel keeps going down at NC-ASA (Local:72.93.32.122:500 Remote:24.214.135.3:500)
I have changed sensitive information like IP addresses and hostnames.
Thanks
Shiva
09-19-2019 09:15 AM
Your syr-asa has :
crypto map CRYPTO-MAP 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
A matching ikev1 transform set definition is missing on nc-asa. You should have the same transform sets on both - so add it on the nc-asa side
09-19-2019 05:14 PM
Sure I will do that and check. Just to understand we use Ikev2 on the tunnel in question , so is it still going to be a problem ?. The tunnel keeps breaking down and it forms back in a few seconds.
i am still a beginner in security, so please don't mind me asking silly questions.
Thanks
09-23-2019 07:11 AM
Even after adding the Transform sets the issue is occuring everyday.( at least 15-20 times )
Sep 22 2019 06:44:39: %ASA-5-750007: Local:7.9.3.1:500 Remote:2.2.1.3:500 Username:2.2.1.3 IKEv2 SA DOWN. Reason: unknown Sep 22 2019 06:44:39: %ASA-4-113019: Group = 2.2.1.3, Username = 2.2.1.3, IP = 2.2.1.3, Session disconnected. Session Type: LAN-to-LAN, Duration: 1h:02m:47s, Bytes xmt: 205355, Bytes rcv: 287237, Reason: Internal Error
Please suggest .
Thanks
09-23-2019 07:46 AM
In my experience, debugging is the best next step at this point.
It can be challenging to analyze without support but we can try. Level 7 debugs typically suffice.
debug crypto condition peer <address of your peer gateway> debug crypto ike-common 7 debug crypto ipsec 7
Make sure you are capturing debug output in your terminal (i.e log your terminal output to a file), save and post it for analysis.
09-18-2019 08:32 PM
If you're experiencing network or system down issues you should open a TAC case.
09-18-2019 10:51 PM
Hi
Since this is a refurnished device there is no service contract.
Any help is appreciated.
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: