Sep 18 2019 03:53:36: %ASA-5-750007: Local:x.x.x.x:500 Remote:x.x.x.x:500 Username:x.x.x.x IKEv2 SA DOWN. Reason: unknown
Sep 18 2019 03:53:36: %ASA-4-113019: Group = x.x.x.x, Username = x.x.x.x, IP = x.x.x.x, Session disconnected. Session Type: LAN-to-LAN, Duration: 1h:02m:47s, Bytes xmt: 227326, Bytes rcv: 284076, Reason: Internal Error
Sep 18 2019 03:54:01: %ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = CRYPTO-MAP. Map Sequence Number = 1.
Between Sept 1 and Sept 18 this error has appeared 135 times and the VPN tunnel has reestablished back in a few seconds.
Cisco Adaptive Security Appliance Software Version 9.8(2) Firepower Extensible Operating System Version 2.2(2.52) Device Manager Version 7.8(2) Compiled on Sun 27-Aug-17 13:06 PDT by builders System image file is "disk0:/asa982-lfbff-k8.SPA" Config file at boot was "startup-config" NC-ASA up 195 days 23 hours Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) Internal ATA Compact Flash, 8000MB BIOS Flash M25P64 @ 0xfed01000, 16384KB
Please help ASAP. site is facing many issues because of this.
Otherwise is a ASA 5506 too. Running 9.6.1
and since we have this happening in random times I didn't run any debug platform or protocols yet.
Which debug do you suggest ? And is there any bug ? Plz help.
Can you provide (as attachment) the "show tech" output from both ASAs (i.e. both ends of the VPN)?
The issue is , the VPN tunnel keeps going down at NC-ASA (Local:126.96.36.199:500 Remote:188.8.131.52:500)
I have changed sensitive information like IP addresses and hostnames.
Your syr-asa has :
crypto map CRYPTO-MAP 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
A matching ikev1 transform set definition is missing on nc-asa. You should have the same transform sets on both - so add it on the nc-asa side
Sure I will do that and check. Just to understand we use Ikev2 on the tunnel in question , so is it still going to be a problem ?. The tunnel keeps breaking down and it forms back in a few seconds.
i am still a beginner in security, so please don't mind me asking silly questions.
Even after adding the Transform sets the issue is occuring everyday.( at least 15-20 times )
Sep 22 2019 06:44:39: %ASA-5-750007: Local:184.108.40.206:500 Remote:220.127.116.11:500 Username:18.104.22.168 IKEv2 SA DOWN. Reason: unknown Sep 22 2019 06:44:39: %ASA-4-113019: Group = 22.214.171.124, Username = 126.96.36.199, IP = 188.8.131.52, Session disconnected. Session Type: LAN-to-LAN, Duration: 1h:02m:47s, Bytes xmt: 205355, Bytes rcv: 287237, Reason: Internal Error
Please suggest .
In my experience, debugging is the best next step at this point.
It can be challenging to analyze without support but we can try. Level 7 debugs typically suffice.
debug crypto condition peer <address of your peer gateway> debug crypto ike-common 7 debug crypto ipsec 7
Make sure you are capturing debug output in your terminal (i.e log your terminal output to a file), save and post it for analysis.
If you're experiencing network or system down issues you should open a TAC case.
Since this is a refurnished device there is no service contract.
Any help is appreciated.