Hello,

Thank you for your answer

ASA-FW-5516# show running-config all group-policy x.x.x.x
group-policy x.x.x.x internal
group-policy x.x.x.x attributes
vpn-tunnel-protocol ikev2
no vpn-simultaneous-login-delete-no-delay

configuration for group-policy is same for both side.

Other side have IP phones which make communication with IP central all time through tunnel. I think that there is always some traffic through tunnel.

one more thanks 

Hello, 

I added your configuration, and I will follow state. I will notify  you.

Thank you very much for your help.

@faruk.zaimovic this is a route based VPN using VTI's, so you don't need interesting traffic for the tunnel to establish or to rekey, unlike a policy based VPN.

You say the issue is "Sometimes that IPSec tunnel stopped working and I have to make shut and no shut tunnel interface to solve that tunnel work again" - how often is sometimes? Every 12, 24 hours or once a week?

Prior to shut/no shutdown the interface, have you run a debug of ikev2/ipsec?

When there is no communication over the VPN, what is the state of "show crypto ikev2 sa" and "show crypto ipsec sa" of both ASA?

What ASA software version are you using, have you checked for a bug?

Hello,

Thank you for your help.

It is happened at least one time in 24 hours.  show crypto isakmp sa show that tunnel is active. 

ASA sofwear version is 9-16-3-23 , i made upgrade on that version. Previous version was 9-16-2-14. I had same problem on both version. 

I added conf from previous post.

group-policy x.x.x.x internal
group-policy x.x.x.x attributes
  vpn-tunnel-protocol ikev2
  no vpn-simultaneous-login-delete-no-delay  
  vpn-idle-timeout none
!
crypto ipsec profile IPSEC_PROFILE
 set ikev2 ipsec-proposal TSET
 set pfs group14
 set security-association lifetime seconds 86400

and I will follow state. 

Thank you for your help.

@faruk.zaimovic when traffic is not passing but you see the tunnel is up "show crypto isakmp sa".

could you setup the capture on your firewall and also get the debug if the given work around does not work. as it stand this is strange issue the tunnel never goes down but it also do not passing the traffic.

as mentioned by @Rob Ingram you can setup the debug to check whats going on. but having said that you already said the tunnel stay always up in that case you wont be see the debug (the one we wanted to see why this strange behavior happening).

did this tunnel ever work stable prior to going 9.16?

just adding on this the tunnel goes down every 24 hours. does the same configuration are applied on both boxes (asa firewalls). I am thinking it could the phase2 and rekey tear the tunnel down. but again I have not see the route based tunnel goes down ever. but yes policy based does where there is no traffic passing by.

. Hello,

Thanks for help and answer. Both cisco ASA device hasn't had same version, but I made upgrade and now both devices have same version 9.16. I expect that tomorrow happen same situation, and I will make debug and try to see what happen. I will share here my outputs. 

@faruk.zaimovic does it always happen every 24 hours? this would indicate a rekey issue, but if it happens infrequently (a couple of times a week), then it might be another issue.

If/when it happens again and before you take any action to resolve - make sure you check "show crypto ikev2 sa" and "show crypto ipsec sa" on both ASA, and provide the output of both ASA so we can see. Run ikev2 and ipsec debugs, provide the output.

Hello Rob, 

When I added conf which provide me  Sheraz.Salim , tunnel is up more than 24 hours. I think that solve my problem. I will continue follow state. If there some change I will write here. 

Thanks all for help.

@faruk.zaimovic that's why I was curious to know whether the tunnels stops at regular intervals or randomly. If after 5 days the issue appears to be random

Unfortunately without seeing the output and the debugs it's going to be hard to determine the issue. I recommend logging a TAC call.