02-09-2022 01:51 PM
I have a Firepower 1010 that successfully creates a tunnel and passes traffic both ways without issue. At right about the 12 hour mark the tunnel goes down and wont come back up unless I reboot the firepower 1010. The keep alive on both sides is set to 8 hours in the ikev2 policy. Traffic is constantly flowing over this tunnel as well without issue until the 12hr mark.
Solved! Go to Solution.
02-10-2022 02:43 PM
Upgrading FTD to 7.0.1-84 from 6.0 resolved the issue.
02-09-2022 02:07 PM
what is other side device ? what logs you see when the VPN go down 12hours time on both the sides ?
Do you have ping p2p IP address ?
what version of code running on Firepower ?
02-09-2022 03:05 PM
I dont know the device on the other side (law enforcement) and all i have is a timestamp for when the tunnel goes down. But i will be setting up a syslog server here shortly.
I am able to ping the p2p address without issue, after a reboot the asa connects without issue to the tunnel which is the weird part.
Current version is 6.4.0-102
02-09-2022 03:16 PM - edited 02-09-2022 03:17 PM
am able to ping the p2p address without issue, after a reboot the asa connects without issue to the tunnel which is the weird part. Current version is 6.4.0-102
Hope you are using FTD code here, not ASA (since you mentioned ASA connects ? - take that as error here)
yes Logs should give some indication why it went down, also good to know what is other side kit, may be issue other side ?
you really need to reboot the device, you can reset the tunnel ? see if that come up ?
02-09-2022 03:29 PM
Yes its a Firepower 1010 Threat Defense, not a ASA, we replaced the ASA with the FTD (my mistake)
Other side has multiple citys connecting to them without issue.
Ive tried resetting the tunnel, even wiping out the tunnel in the config and re-entering it but the only thing that works is a reboot from the cli
02-10-2022 02:17 PM
reboot or shutdown the outside interface, if the shutdown interface is solve the case then we will deep investigate why the phase1 is delete from the other peer.
please share the config of tunnel-group and group-policy.
02-10-2022 02:43 PM
Upgrading FTD to 7.0.1-84 from 6.0 resolved the issue.
02-09-2022 02:08 PM
@CityITsupport what version of software are you running on the firewall?
Is dead peer detection keepalives (dpd) configured on both ends? This will clear the ipsec sa if the tunnel drops.
Is pfs enable on both ends?
Can you provide the output of ikev2 debugs?
02-09-2022 03:08 PM
Im using FDM to manage the device and dpd is not an option on my side.
Yes pfs is enable on both sides.
I will be collecting logs tonight. The weird part is after a reboot it connects and passes traffic through for about 12 hours then disconnects and wont reconnect without rebooting the asa, even if i clear crypto isamp sa and ikev2 sa
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide