Hi guys,
I am having a strange issue....I really hope that you can help me with...
We have a site-to-site tunnel with out BGP running up against Azure.... It works no issue here, but after 10-11 days the connections drops... I can see that the tunnel are trying to be established when the tunnel goes down, IKEv2 is there but IPSEC dont come up, and therefor traffic will not go through.
This is what I can see in the log:
7|Aug 09 2019|22:27:23|713906|||||IKE Receiver: Packet received on XXXXXXX:500 from XXXXXXX:500
6|Aug 09 2019|22:27:21|602303|||||IPSEC: An inbound LAN-to-LAN SA (SPI= 0x59025CE7) between XXXXXXX and XXXXXXX (user= XXXXXXX) has been created.
6|Aug 09 2019|22:27:21|602303|||||IPSEC: An outbound LAN-to-LAN SA (SPI= 0x5825BDF6) between XXXXXXX and XXXXXXX (user= XXXXXXX) has been created.
6|Aug 09 2019|22:27:21|113009|||||AAA retrieved default group policy (GroupPolicy_Azure) for user = XXXXXXX
5|Aug 09 2019|22:27:21|750006|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:XXXXXXX IKEv2 SA UP. Reason: New Connection Established
7|Aug 09 2019|22:27:21|713906|||||IKE Receiver: Packet received on XXXXXXX:500 from XXXXXXX:500
7|Aug 09 2019|22:27:21|713906|||||IKE Receiver: Packet received on XXXXXXX:500 from XXXXXXX:500
7|Aug 09 2019|22:27:21|713906|||||IKE Receiver: Packet received on XXXXXXX:500 from XXXXXXX:500
5|Aug 09 2019|22:27:21|750001|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 10.6.164.206-10.6.164.206 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 172.16.0.1-172.16.0.1 Protocol: 0 Port Range: 0-65535
4|Aug 09 2019|22:27:11|113019|||||Group = XXXXXXX, Username = XXXXXXX, IP = XXXXXXX, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:07s, Bytes xmt: 0, Bytes rcv: 0, Reason: Administrator Reset
5|Aug 09 2019|22:27:09|750001|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 10.6.164.206-10.6.164.206 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 172.16.0.1-172.16.0.1 Protocol: 0 Port Range: 0-65535
6|Aug 09 2019|22:27:04|113009|||||AAA retrieved default group policy (GroupPolicy_Azure) for user = XXXXXXX
7|Aug 09 2019|22:27:04|609001|XXXXXXX||||Built local-host outside:XXXXXXX
5|Aug 09 2019|22:27:04|750006|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:XXXXXXX IKEv2 SA UP. Reason: New Connection Established
7|Aug 09 2019|22:27:04|609002|XXXXXXX||||Teardown local-host outside:XXXXXXX duration 0:00:20
4|Aug 09 2019|22:27:04|113019|||||Group = XXXXXXX, Username = XXXXXXX, IP = XXXXXXX, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:20s, Bytes xmt: 0, Bytes rcv: 0, Reason: Peer Reconnected
4|Aug 09 2019|22:27:04|750014|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:XXXXXXX IKEv2 Session Aborted. Reason: Initial contact received for Local ID: XXXXXXX, Remote ID: XXXXXXX from remote peer: XXXXXXX:500 to XXXXXXX:500
3|Aug 09 2019|22:27:04|751022|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:XXXXXXX IKEv2 Tunnel rejected: Crypto Map Policy not found for remote traffic selector 0.0.0.0/255.255.255.255/0/65535/0 local traffic selector 0.0.0.0/255.255.255.255/0/65535/0!
7|Aug 09 2019|22:27:04|713906|||||IKE Receiver: Packet received on XXXXXXX:500 from XXXXXXX:500
5|Aug 09 2019|22:27:04|750002|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:Unknown IKEv2 Received a IKE_INIT_SA request
7|Aug 09 2019|22:27:04|713906|||||IKE Receiver: Packet received on XXXXXXX:500 from XXXXXXX:500
5|Aug 09 2019|22:26:56|750001|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 10.6.164.206-10.6.164.206 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 172.16.0.1-172.16.0.1 Protocol: 0 Port Range: 0-65535
6|Aug 09 2019|22:26:44|113009|||||AAA retrieved default group policy (GroupPolicy_Azure) for user = XXXXXXX
7|Aug 09 2019|22:26:44|609001|XXXXXXX||||Built local-host outside:XXXXXXX
5|Aug 09 2019|22:26:44|750006|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:XXXXXXX IKEv2 SA UP. Reason: New Connection Established
7|Aug 09 2019|22:26:44|609002|XXXXXXX||||Teardown local-host outside:XXXXXXX duration 0:00:20
4|Aug 09 2019|22:26:44|113019|||||Group = XXXXXXX, Username = XXXXXXX, IP = XXXXXXX, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:20s, Bytes xmt: 0, Bytes rcv: 0, Reason: Peer Reconnected
4|Aug 09 2019|22:26:44|750014|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:XXXXXXX IKEv2 Session Aborted. Reason: Initial contact received for Local ID: XXXXXXX, Remote ID: XXXXXXX from remote peer: XXXXXXX:500 to XXXXXXX:500
3|Aug 09 2019|22:26:44|751022|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:XXXXXXX IKEv2 Tunnel rejected: Crypto Map Policy not found for remote traffic selector 0.0.0.0/255.255.255.255/0/65535/0 local traffic selector 0.0.0.0/255.255.255.255/0/65535/0!
7|Aug 09 2019|22:26:44|713906|||||IKE Receiver: Packet received on XXXXXXX:500 from XXXXXXX:500
5|Aug 09 2019|22:26:44|750002|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:Unknown IKEv2 Received a IKE_INIT_SA request
7|Aug 09 2019|22:26:44|713906|||||IKE Receiver: Packet received on XXXXXXX:500 from XXXXXXX:500
5|Aug 09 2019|22:26:43|750001|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 10.5.0.148-10.5.0.148 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 172.16.0.4-172.16.0.4 Protocol: 0 Port Range: 0-65535
5|Aug 09 2019|22:26:32|750001|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 10.6.164.206-10.6.164.206 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 172.16.0.1-172.16.0.1 Protocol: 0 Port Range: 0-65535
6|Aug 09 2019|22:26:24|113009|||||AAA retrieved default group policy (GroupPolicy_Azure) for user = XXXXXXX
7|Aug 09 2019|22:26:24|609001|XXXXXXX||||Built local-host outside:XXXXXXX
5|Aug 09 2019|22:26:24|750006|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:XXXXXXX IKEv2 SA UP. Reason: New Connection Established
7|Aug 09 2019|22:26:24|609002|XXXXXXX||||Teardown local-host outside:XXXXXXX duration 0:00:20
4|Aug 09 2019|22:26:24|113019|||||Group = XXXXXXX, Username = XXXXXXX, IP = XXXXXXX, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:20s, Bytes xmt: 0, Bytes rcv: 0, Reason: Peer Reconnected
4|Aug 09 2019|22:26:24|750014|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:XXXXXXX IKEv2 Session Aborted. Reason: Initial contact received for Local ID: XXXXXXX, Remote ID: XXXXXXX from remote peer: XXXXXXX:500 to XXXXXXX:500
3|Aug 09 2019|22:26:24|751022|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:XXXXXXX IKEv2 Tunnel rejected: Crypto Map Policy not found for remote traffic selector 0.0.0.0/255.255.255.255/0/65535/0 local traffic selector 0.0.0.0/255.255.255.255/0/65535/0!
7|Aug 09 2019|22:26:24|713906|||||IKE Receiver: Packet received on XXXXXXX:500 from XXXXXXX:500
5|Aug 09 2019|22:26:24|750002|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:Unknown IKEv2 Received a IKE_INIT_SA request
7|Aug 09 2019|22:26:24|713906|||||IKE Receiver: Packet received on XXXXXXX:500 from XXXXXXX:500
5|Aug 09 2019|22:26:20|750001|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 10.6.164.206-10.6.164.206 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 172.16.0.1-172.16.0.1 Protocol: 0 Port Range: 0-65535
5|Aug 09 2019|22:26:08|750001|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 10.6.164.206-10.6.164.206 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 172.16.0.1-172.16.0.1 Protocol: 0 Port Range: 0-65535
6|Aug 09 2019|22:26:04|113009|||||AAA retrieved default group policy (GroupPolicy_Azure) for user = XXXXXXX
7|Aug 09 2019|22:26:04|609001|XXXXXXX||||Built local-host outside:XXXXXXX
5|Aug 09 2019|22:26:04|750006|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:XXXXXXX IKEv2 SA UP. Reason: New Connection Established
7|Aug 09 2019|22:26:04|609002|XXXXXXX||||Teardown local-host outside:XXXXXXX duration 0:00:20
4|Aug 09 2019|22:26:04|113019|||||Group = XXXXXXX, Username = XXXXXXX, IP = XXXXXXX, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:20s, Bytes xmt: 0, Bytes rcv: 0, Reason: Peer Reconnected
4|Aug 09 2019|22:26:04|750014|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:XXXXXXX IKEv2 Session Aborted. Reason: Initial contact received for Local ID: XXXXXXX, Remote ID: XXXXXXX from remote peer: XXXXXXX:500 to XXXXXXX:500
3|Aug 09 2019|22:26:04|751022|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:XXXXXXX IKEv2 Tunnel rejected: Crypto Map Policy not found for remote traffic selector 0.0.0.0/255.255.255.255/0/65535/0 local traffic selector 0.0.0.0/255.255.255.255/0/65535/0!
7|Aug 09 2019|22:26:04|713906|||||IKE Receiver: Packet received on XXXXXXX:500 from XXXXXXX:500
5|Aug 09 2019|22:26:04|750002|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:Unknown IKEv2 Received a IKE_INIT_SA request
7|Aug 09 2019|22:26:04|713906|||||IKE Receiver: Packet received on XXXXXXX:500 from XXXXXXX:500
5|Aug 09 2019|22:25:56|750001|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 10.6.164.206-10.6.164.206 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 172.16.0.1-172.16.0.1 Protocol: 0 Port Range: 0-65535
5|Aug 09 2019|22:25:44|750001|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 10.6.164.206-10.6.164.206 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 172.16.0.1-172.16.0.1 Protocol: 0 Port Range: 0-65535
6|Aug 09 2019|22:25:44|113009|||||AAA retrieved default group policy (GroupPolicy_Azure) for user = XXXXXXX
7|Aug 09 2019|22:25:44|609001|XXXXXXX||||Built local-host outside:XXXXXXX
5|Aug 09 2019|22:25:44|750006|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:XXXXXXX IKEv2 SA UP. Reason: New Connection Established
7|Aug 09 2019|22:25:44|609002|XXXXXXX||||Teardown local-host outside:XXXXXXX duration 0:00:18
4|Aug 09 2019|22:25:44|113019|||||Group = XXXXXXX, Username = XXXXXXX, IP = XXXXXXX, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:19s, Bytes xmt: 0, Bytes rcv: 0, Reason: Peer Reconnected
4|Aug 09 2019|22:25:44|750014|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:XXXXXXX IKEv2 Session Aborted. Reason: Initial contact received for Local ID: XXXXXXX, Remote ID: XXXXXXX from remote peer: XXXXXXX:500 to XXXXXXX:500
3|Aug 09 2019|22:25:44|751022|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:XXXXXXX IKEv2 Tunnel rejected: Crypto Map Policy not found for remote traffic selector 0.0.0.0/255.255.255.255/0/65535/0 local traffic selector 0.0.0.0/255.255.255.255/0/65535/0!
7|Aug 09 2019|22:25:44|713906|||||IKE Receiver: Packet received on XXXXXXX:500 from XXXXXXX:500
5|Aug 09 2019|22:25:44|750002|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:Unknown IKEv2 Received a IKE_INIT_SA request
7|Aug 09 2019|22:25:44|713906|||||IKE Receiver: Packet received on XXXXXXX:500 from XXXXXXX:500
When login to my ASA through ASDM I log the connection out, then the connecting are been reestablished, and are working again.
I have used the configuration from the Azure (or have taking the function out that we needed)
What can I do here?? And what else do you need of info. :)
Frank
