ASA to ASA ipsec problem after wan drop

erik bakke · ‎11-23-2017

Hi all!

We have 5525x at DC and a lot of ipsec to other asa`s. (5505,06x and 5516x)

If wan connection to 5525x drops for a few ms, ipsec tunnels stops passing traffic, often we can see one-way-traffic or no traffic at all, we need to logout ipsec tunnel and re-establish tunnels again.

This is a big issue for us.

Anyone have any solutions? Any configuration setting we need to have?

I have read about "sysopt connection preserve-vpn-flows" Preserve stateful VPN flows when the tunnel drops, is it a good idea to enable this?

Very happy for all the help I can get :)

Shakti Kumar · ‎11-29-2017

Hi Erik,

Have you implemented IKEV2 or IKEV1 tunnel ??

Is the issue seen with both of them ?

erik bakke · ‎11-29-2017

Both, most tunnels is IKEv2

Shakti Kumar · ‎11-29-2017

Hi Erik,

I have often seen this issue very specifically with IKEV2 based tunnel during link failure on either of the sides because of

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva84635/?reffering_site=dumpcr

Can you share the logs during the outage for one of the tunnels and share the logs to shaktiku@cisco.com?

erik bakke · ‎11-29-2017

Hi!

Yes I will :) which command do you want output from?

We running 9.8.1, is that release affected also?

Shakti Kumar · ‎11-29-2017

Hi Erik,

Yes 9.8.1 has this problem, it isn't a code problem.

The outputs i need is

1.) run a conditional debug for a peer

debug crypto condition peer <ip address of the ikev2 peer>

2.) enable debugs

debug crypto ikev2 protocol 127

debug crypto ikev2 platform 127

debug crypto ipsec 127

Please ensure to check the health of the device before executing the debug commands

While sending out the logs please include "supportforum" in the subject area

thanks

Shakti