Re: 4G VPN tunnel fails with constant IN-NEG

i.hughes · ‎09-12-2018

WE have multiple sites running 4G dynamic VPNs from 897 routers to ASA 5525x FW, occasionally some sites get in a state where the tunnel fails and when we do a " sh Crypto ikev2 sa" you see multiple IN-NEG messages as below.

The only way we can fix this is to shut the Cellular interface down for a few minutes, when brought back up the tunnel reestablishes ok

Is there a fix for this problem?

Tunnel-id Local                 Remote                fvrf/ivrf            Status
4         10.98.75.43/4500      xx.xx.xx.xx/4500     none/none            IN-NEG
      Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:20, Auth sign: PSK, Auth verify: Unknown - 0
      Life/Active Time: 86400/0 sec

Tunnel-id Local                 Remote                fvrf/ivrf            Status
3         10.98.75.43/4500      xx.xx.xx.xx/4500     none/none            IN-NEG
      Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:20, Auth sign: PSK, Auth verify: Unknown - 0
      Life/Active Time: 86400/0 sec

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         10.98.75.43/4500      xx.xx.xx.xx/4500     none/none            IN-NEG
      Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:20, Auth sign: PSK, Auth verify: Unknown - 0
      Life/Active Time: 86400/0 sec

Tunnel-id Local                 Remote                fvrf/ivrf            Status
6         10.98.75.43/4500     xx.xx.xx.xx/4500     none/none            IN-NEG
      Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:20, Auth sign: PSK, Auth verify: Unknown - 0
      Life/Active Time: 86400/0 sec

Rob Ingram · ‎09-13-2018

Hi,
Do you have DPD (Dead Peer Detection) configured? E.g. "dpd 10 2 on-demand"

i.hughes · ‎09-13-2018

yes have

crypto ikev2 dpd 20 5 periodic
crypto ikev2 window 10

Rob Ingram · ‎09-13-2018

Is that configured globally or under the IKEv2 profile?
Can you provide the output of "debug crypto ikev2" from the hub and spoke routers?

i.hughes · ‎09-13-2018

The DPD is global,

I have done an EEM script as below, that tracks an SLA across the VPN, so if Track state to down, the crypto map gets removed from the cellular interface, wait 4 minutes then put it back in. When I have done this manually it works, I am just waiting for the next occurence to see if the script works ok

event manager applet 4G-reset
event track 3 state down
action 001 cli command "enable"
action 002 cli command "config t"
action 003 cli command "interface cell 0"
action 004 cli command "no crypto map XXXX$q"
action 006 cli command "exit"
action 007 cli command "event manager applet track-timer"
action 008 cli command "event timer countdown time 240"
action 009 cli command "action 1.0 cli command enable"
action 010 cli command "action 2.0 cli command $q config t$q"
action 011 cli command "action 3.0 cli command $q int cell0$q"
action 012 cli command "action 4.0 cli command $q crypto map XXXX$q"
action 014 cli command "action 6.0 cli command $q no event manager applet track-timer$q"
action 015 cli command "action 7.0 cli command end"
action 016 cli command "end"