Solved: Determining Tunnel States With Syslogs

WildMan365 · ‎03-26-2018

I am trying to find a way to know if my IPsec tunnel went down at any given point in the last month. I have my logs set to store for 90 days no matter how big the log file. Can someone help me try to determine tunnel states historically speaking? I have examples but I'm not sure if these logs are saying that my tunnel is actually going down or if the "connection terminated" message below is normal & phase 1 is just simply rekeying. If below is normal behavior could someone tell me what they would expect to see in a log if the tunnel went down for any reason?

See below...

asa-20180305.gz:Mar 4 01:13:24 192.168.210.20 %ASA-5-713050: Group = 1.1.1.1, IP = 1.1.1.1, Connection terminated for peer 1.1.1.1. Reason: IPSec SA Idle Timeout Remote Proxy 192.168.105.0, Local Proxy 0.0.0.0
asa-20180305.gz:Mar 4 01:13:24 192.168.210.20 %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xA9744E49) between 2.2.2.2 and 1.1.1.1 (user= 1.1.1.1) has been deleted.
asa-20180305.gz:Mar 4 01:13:24 192.168.210.20 %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x515BEA40) between 1.1.1.1 and 2.2.2.2 (user= 1.1.1.1) has been deleted.
asa-20180305.gz:Mar 4 01:13:29 192.168.210.20 %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x743A157A) between 2.2.2.2 and 1.1.1.1 (user= 1.1.1.1) has been deleted.
asa-20180305.gz:Mar 4 01:13:29 192.168.210.20 %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x035B5B9B) between 1.1.1.1 and 2.2.2.2 (user= 1.1.1.1) has been deleted.
asa-20180305.gz:Mar 4 01:14:10 192.168.210.20 %ASA-5-713041: Group = 1.1.1.1, IP = 1.1.1.1, IKE Initiator: New Phase 2, Intf outside, IKE Peer 1.1.1.1 local Proxy Address 0.0.0.0, remote Proxy Address 192.168.105.0, Crypto map (outside_map)
asa-20180305.gz:Mar 4 01:14:10 192.168.210.20 %ASA-5-713073: Group = 1.1.1.1, IP = 1.1.1.1, Responder forcing change of IPSec rekeying duration from 28800 to 3600 seconds
asa-20180305.gz:Mar 4 01:14:10 192.168.210.20 %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x86011ECF) between 2.2.2.2 and 1.1.1.1 (user= 1.1.1.1) has been created.
asa-20180305.gz:Mar 4 01:14:10 192.168.210.20 %ASA-5-713049: Group = 1.1.1.1, IP = 1.1.1.1, Security negotiation complete for LAN-to-LAN Group (1.1.1.1) Initiator, Inbound SPI = 0xe205e5aa, Outbound SPI = 0x86011ecf
asa-20180305.gz:Mar 4 01:14:10 192.168.210.20 %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xE205E5AA) between 2.2.2.2 and 1.1.1.1 (user= 1.1.1.1) has been created.
asa-20180305.gz:Mar 4 01:14:10 192.168.210.20 %ASA-5-713120: Group = 1.1.1.1, IP = 1.1.1.1, PHASE 2 COMPLETED (msgid=3e1f6c99)

Mohammed al Baqari · ‎03-29-2018

Best to judge is to run debug crypto on both sides but usually this happens
if you have timer mismatch in IPSec SA

View solution in original post

Mohammed al Baqari · ‎03-26-2018

(has been deleted.) this means that tunnel went down at this time.

WildMan365 · ‎03-27-2018

So is this normal? I know that technically when a tunnel rekeys phase 1 that there can be a delay from an end user application perspective due to rekeying (e.g RDP session hangs for a second or 2). Is that whats happening in this case? When I hear the tunnel is down immediately I assume there are serious problems.

Mohammed al Baqari · ‎03-27-2018

No. Rekeying won't cause tunnel to go down. It rekeys before timer expiry.
Down means that your tunnel is flapping. RDP shouldn't have during rekeying

WildMan365 · ‎03-27-2018

What would you say is the cause of the tunnel going down in these logs?

Mohammed al Baqari · ‎03-29-2018

Best to judge is to run debug crypto on both sides but usually this happens
if you have timer mismatch in IPSec SA