Solved: How to find out on ASA what IKE policy number is used by the connection?

Ilya Semenov · ‎08-06-2020

i team,

we experiencing S2S VPN connection issues, it's often drops for no reason almost every day in a week. There are 30+ other S2S VPN to other customers on our side which work perfectly well.

In case of the bad-working VPN we suspect a Lifetimers mismatch on both side. So, I have 4 question:

0) Am I right, that in Phase 1 Lifetime values should 100% match on both sides, but in Phase 2 they can be different?

1) Could different timer values for Phase2 be a reason for the connection drops?

2) If, say, for Phase 2 they have 28800 on their side, and I have 3600 on my side - whose value will be used? Would it be eventually same value for both sides, or the sides would use different ones?

3) Where can I see actually used Phase1 Lifetime timers?

Now I have a task to check Lifetime timers for the connection, so I am bit confused how to find it out properly.

In Phase 2 we have:

crypto map outside_map 55 set security-association lifetime seconds 3600. That's easy - 3600

but what is about the Phase 1?

show crypto isakmp sa gives me:

Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 28800
Lifetime Remaining: 9112

Is it really a the Lifetime value used in Phase 1?

We have a lot of "crypto ikev1 policy X", where X is 10, 20, 30, ...200 with same AUTH/ENC/GRP settings, but different Lifetime values set.

How may I see what Policy (number) is used by the particular connection?

Thank you very much in advance,

Ilya

Rob Ingram · ‎08-06-2020

Hi,
Lifetimes should be configured to mirror the peer's configuration. If the peers are the both cisco and if the lifetime was configured differently, the lifetime would negotiate the shortest lifetime value. If different vendors, this is where you can have issues - in short, best practice is to configure the same values.

"show crypto ipsec sa" will give you the Phase 2 lifetime, per peer
"show crypto ikev1 sa" or "show crypto isakmp sa" or "show crypto ikev2 sa" will give you the Phase 1/SA_INIT lifetime value, per peer.

You would have to manually determine which algorthims were used to establish an ISAKMP/IKEv1/IKEv2 SA, from there you can determine which actual policy number was actually used.

HTH

View solution in original post

Rob Ingram · ‎08-06-2020

Hi,
Lifetimes should be configured to mirror the peer's configuration. If the peers are the both cisco and if the lifetime was configured differently, the lifetime would negotiate the shortest lifetime value. If different vendors, this is where you can have issues - in short, best practice is to configure the same values.

"show crypto ipsec sa" will give you the Phase 2 lifetime, per peer
"show crypto ikev1 sa" or "show crypto isakmp sa" or "show crypto ikev2 sa" will give you the Phase 1/SA_INIT lifetime value, per peer.

You would have to manually determine which algorthims were used to establish an ISAKMP/IKEv1/IKEv2 SA, from there you can determine which actual policy number was actually used.

HTH

pccw258103 · ‎08-07-2020

phase1 is try an error.
policy (number) is a lot of pre-set parameter.
U can configure policy from 1 to 65535, the greatest policy for remote client access e.g. 65535
Phase1 try to negotiate parameter such encryption, hash etc. (form policy 1 to ....)
if local try to any policy (number) to remote successfully that will pass to phase2
We have recommended high security for least policy (e.g. crypto ikev1 policy 1)