AFAIK ikev2 lifetime is not negotiated and is locally significant to each respective peer in regard to ios.  The ikev2 lifetime is not negotiated in the ikev2 proposals, and configured in ikev2 profiles in respect to ios.  Whichever peer has the lower lifetime will always end up being the one to request rekeying via CREATE_CHILD_SA.  What types are the connecting devices? Have you attempted any debugs? If so, are you able to see any specifics such as negotiation failing? IKE_AUTH failures, etc.?

Hi, sorry for the late answer.

What types are the connecting devices?

Our device is a  cisco C891F router, I dont know the other end device.

Have you attempted any debugs?

No, like I said, i'm kind of new to cisco, trying to learn. Will search online for information about debugging

Thank you

Phase 1 lifetime is 120 in other Peer 
phase 1 lifetime is 86400 in your side, 
phase 1 in other side timeout and try to establish new Phase1 BUT your side still have active phase1 this make 
other peer failed to phase1 and your side the tunnel can not send traffic, NOW 
only config your side phase1 lifetime =120 and see if the traffic is stable BUT BUT 120 is to short.

Hi,

Sorry for late reply.

I think the problem was on their side, basically they used the same network for 2 different tunnels so there was some conflits.

They made the change today so i'm going to wait a few more days to be sure. If it continues I will leave here the requested information.

Thank you all.

once you learn the vpn side as you need in this. please upgrade your vpn encryption setting. by looking into the displayed output you using a legacy (which is not recommanded setting anymore at this living time) for example 3DES encryption  must not be used in production network plust you using DH group 2 again not recommand one.

ideally, Encrytion should be AES-256 and DH group 19,20,21

have a look on Here and upgrade the encryption (once agreed with you and the remote side).

Hi, Sorry Again for the late answer

The problem still persists and now its worst than ever.

Tomorrow I will have a meeting with a cisco technician and the team from the other side of the tunnel to see if we can fix the problem

Still, I did some checking and when executing 

debug crypto ikev2 error

I get the following

Apr 28 19:56:20.370: IKEv2:: Packet is a retransmission
Apr 28 19:56:29.382: IKEv2:(SESSION ID = 189,SA ID = 2):: Failed to receive the AUTH msg before the timer expired
Apr 28 19:56:29.382: IKEv2:(SESSION ID = 189,SA ID = 2):: Auth exchange failed
Apr 28 19:56:29.430: IKEv2:Failed to retrieve Certificate Issuer list
Apr 28 19:56:29.434: IKEv2:Failed to retrieve Certificate Issuer list
Apr 28 19:56:32.430: IKEv2:: Packet is a retransmission
Apr 28 19:56:38.426: IKEv2:: Packet is a retransmission
Apr 28 19:56:50.426: IKEv2:: Packet is a retransmission
Apr 28 19:56:59.434: IKEv2:(SESSION ID = 190,SA ID = 2):: Failed to receive the AUTH msg before the timer expired
Apr 28 19:56:59.434: IKEv2:(SESSION ID = 190,SA ID = 2):: Auth exchange failed
Apr 28 19:56:59.482: IKEv2:Failed to retrieve Certificate Issuer list
Apr 28 19:56:59.486: IKEv2:Failed to retrieve Certificate Issuer list
Apr 28 19:57:02.482: IKEv2:: Packet is a retransmission
Apr 28 19:57:08.482: IKEv2:: Packet is a retransmission
Apr 28 19:57:20.478: IKEv2:: Packet is a retransmission
Apr 28 19:57:29.486: IKEv2:(SESSION ID = 191,SA ID = 2):: Failed to receive the AUTH msg before the timer expired
Apr 28 19:57:29.486: IKEv2:(SESSION ID = 191,SA ID = 2):: Auth exchange failed
...

Don't know if its related to the problem, didn't find much online about this.

I will keep updating as the situation evolves.

Thank you all!

DO you change the lifetime ?? I think NO and as I mention before lifetime is issue but....ANYWAY

also what auth you use ??
PSK or RSA ???
I think the Policy is make issue here, 
when your side try initiate the IPSec it select right the Auth BUT when other side initiate the IPSec the issue arise IKEv2 don't know select RSA or PSK.
how many tunnel run in this router ?

Hi, sorry for not letting you know about the lifetime.

I'va tried to change the lifetime to 120, but the results where the same, and the thing is, I can't even find anywhere on the configuration the 86400 value on the lifetime (maybe it's default?). Also I don't know if I changed on the right place, like I said on the first post, i'me not very familiar with cisco.

This is the place I can find a lifetime configuration, and it was always 28800, i've tried change to 120 like I said, but got same results

Router#show crypto isakmp policy

Global IKE policy
Protection suite of priority 10
        encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               28800 seconds, no volume limit

Don't know if this information helps with the other questions.

Also, showing here the tunnels with detailed information. Like I said before, there's only suposed to be 1 tunnel, and looking at this info, we can see the second tunnel is in IN-NEG state an as the  Local id: and Remote id: fields empty.

Router#show crypto ikev2 sa detailed
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         yyy.yyy.yyy.yyy/500          xxx.xxx.xxx.xxx/500    none/none            READY
      Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/518 sec
      CE id: 2352, Session-id: 12
      Status Description: Negotiation done
      Local spi: 25CE263C93D957DA       Remote spi: D83ACA7E3D462DBD
      Local id: yyy.yyy.yyy.yyy
      Remote id: xxx.xxx.xxx.xxx
      Local req msg id:  0              Remote req msg id:  30
      Local next msg id: 0              Remote next msg id: 30
      Local req queued:  0              Remote req queued:  30
      Local window:      5              Remote window:      1
      DPD configured for 0 seconds, retry 0
      Fragmentation not configured.
      Extended Authentication not configured.
      NAT-T is not detected
      Cisco Trust Security SGT is disabled
      Initiator of SA : No

Tunnel-id Local                 Remote                fvrf/ivrf            Status
2         yyy.yyy.yyy.yyy/500          xxx.xxx.xxx.xxx/500    none/none            IN-NEG
      Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: Unknown - 0, Auth verify: Unknown - 0
      Life/Active Time: 120/0 sec
      CE id: 2370, Session-id: 0
      Status Description: Responder waiting for AUTH message
      Local spi: 770C8AAA0B6F69B2       Remote spi: 24333416BB94EB23
      Local id:
      Remote id:
      Local req msg id:  0              Remote req msg id:  1
      Local next msg id: 0              Remote next msg id: 1
      Local req queued:  0              Remote req queued:  1
      Local window:      1              Remote window:      1
      DPD configured for 0 seconds, retry 0
      Fragmentation not configured.
      Extended Authentication not configured.
      NAT-T is not detected
      Cisco Trust Security SGT is disabled
      Initiator of SA : No

 IPv6 Crypto IKEv2  SA

Thanks again!

Hi, sorry for not talking about the lifetime thing, I've tried changing it, but the results where the same. And the thing is, I can't find anywhere on the configuration the 86400 value (may its default?) and I really don't know if I changed on the right place, like I said, i'm not very familiar with cisco and ipsec.

This is the only place I found a lifetime configuration, I changed to 120, but like I said, the results where the same. still, the value was always 28800 

Router#show crypto isakmp policy

Global IKE policy
Protection suite of priority 10
        encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               28800 seconds, no volume limit

Don't know if this info answers yous other questions

Chacking again the tunnels, this time with detailed. Like I said before, theres only suposed to be 1 tunnels, and as you can see, teh second one is always in IN-NEG status and the  fields Local id and Remote id are empty.

Router#show crypto ikev2 sa detailed
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         yyy.yyy.yyy.yyy/500          xxx.xxx.xxx.xxx/500    none/none            READY
      Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/1816 sec
      CE id: 2352, Session-id: 12
      Status Description: Negotiation done
      Local spi: 25CE263C93D957DA       Remote spi: D83ACA7E3D462DBD
      Local id: yyy.yyy.yyy.yyy
      Remote id: xxx.xxx.xxx.xxx
      Local req msg id:  0              Remote req msg id:  95
      Local next msg id: 0              Remote next msg id: 95
      Local req queued:  0              Remote req queued:  95
      Local window:      5              Remote window:      1
      DPD configured for 0 seconds, retry 0
      Fragmentation not configured.
      Extended Authentication not configured.
      NAT-T is not detected
      Cisco Trust Security SGT is disabled
      Initiator of SA : No

Tunnel-id Local                 Remote                fvrf/ivrf            Status
2         yyy.yyy.yyy.yyy/500          xxx.xxx.xxx.xxx/500    none/none            IN-NEG
      Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: Unknown - 0, Auth verify: Unknown - 0
      Life/Active Time: 120/0 sec
      CE id: 2413, Session-id: 0
      Status Description: Responder waiting for AUTH message
      Local spi: 8F324FE43C437E38       Remote spi: 7334FC00D809E779
      Local id:
      Remote id:
      Local req msg id:  0              Remote req msg id:  1
      Local next msg id: 0              Remote next msg id: 1
      Local req queued:  0              Remote req queued:  1
      Local window:      1              Remote window:      1
      DPD configured for 0 seconds, retry 0
      Fragmentation not configured.
      Extended Authentication not configured.
      NAT-T is not detected
      Cisco Trust Security SGT is disabled
      Initiator of SA : No

Thanks again!

Hmm I don't anymore think that this is lifetime issue..
this issue with ID
run

deb crypto ikev2 packet

share output and then NO debug for CPU.

is this enough?

Apr 28 22:26:16.198: IKEv2:Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: INITIATOR Message id: 0, length: 252
Payload contents:
 SA  Next payload: KE, reserved: 0x0, length: 44
  last proposal: 0x0, reserved: 0x0, length: 40
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4    last transform: 0x3, reserved: 0x0: length: 8
    type: 1, reserved: 0x0, id: 3DES
    last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA1
    last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96
    last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
 KE  Next payload: N, reserved: 0x0, length: 136
    DH group: 2, Reserved: 0x0
 N  Next payload: NOTIFY, reserved: 0x0, length: 36
 NOTIFY(Unknown - 16430)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: Unknown - 0, spi size: 0, type: Unknown - 0

Apr 28 22:26:16.202: IKEv2:(SESSION ID = 494,SA ID = 2):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE Message id: 0, length: 276
Payload contents:
 SA  Next payload: KE, reserved: 0x0, length: 44
  last proposal: 0x0, reserved: 0x0, length: 40
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4    last transform: 0x3, reserved: 0x0: length: 8
    type: 1, reserved: 0x0, id: 3DES
    last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA1
    last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96
    last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
 KE  Next payload: N, reserved: 0x0, length: 136
    DH group: 2, Reserved: 0x0
 N  Next payload: VID, reserved: 0x0, length: 24
 VID  Next payload: VID, reserved: 0x0, length: 23
 VID  Next payload: NONE, reserved: 0x0, length: 21

Apr 28 22:26:19.198: IKEv2:(SESSION ID = 494,SA ID = 2):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE Message id: 0, length: 276
Payload contents:
 SA  Next payload: KE, reserved: 0x0, length: 44
  last proposal: 0x0, reserved: 0x0, length: 40
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4    last transform: 0x3, reserved: 0x0: length: 8
    type: 1, reserved: 0x0, id: 3DES
    last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA1
    last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96
    last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
 KE  Next payload: N, reserved: 0x0, length: 136
    DH group: 2, Reserved: 0x0
 N  Next payload: VID, reserved: 0x0, length: 24
 VID  Next payload: VID, reserved: 0x0, length: 23
 VID  Next payload: NONE, reserved: 0x0, length: 21

Apr 28 22:26:25.194: IKEv2:(SESSION ID = 494,SA ID = 2):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE Message id: 0, length: 276
Payload contents:
 SA  Next payload: KE, reserved: 0x0, length: 44
  last proposal: 0x0, reserved: 0x0, length: 40
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4    last transform: 0x3, reserved: 0x0: length: 8
    type: 1, reserved: 0x0, id: 3DES
    last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA1
    last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96
    last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
 KE  Next payload: N, reserved: 0x0, length: 136
    DH group: 2, Reserved: 0x0
 N  Next payload: VID, reserved: 0x0, length: 24
 VID  Next payload: VID, reserved: 0x0, length: 23
 VID  Next payload: NONE, reserved: 0x0, length: 21

Apr 28 22:26:28.458: IKEv2:(SESSION ID = 351,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: INITIATOR Message id: 217, length: 60
Payload contents:

Apr 28 22:26:28.458: IKEv2:(SESSION ID = 351,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER MSG-RESPONSE Message id: 217, length: 60
Payload contents:
 ENCR  Next payload: NONE, reserved: 0x0, length: 32

Apr 28 22:26:37.194: IKEv2:(SESSION ID = 494,SA ID = 2):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE Message id: 0, length: 276
Payload contents:
 SA  Next payload: KE, reserved: 0x0, length: 44
  last proposal: 0x0, reserved: 0x0, length: 40
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4    last transform: 0x3, reserved: 0x0: length: 8
    type: 1, reserved: 0x0, id: 3DES
    last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA1
    last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96
    last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
 KE  Next payload: N, reserved: 0x0, length: 136
    DH group: 2, Reserved: 0x0
 N  Next payload: VID, reserved: 0x0, length: 24
 VID  Next payload: VID, reserved: 0x0, length: 23
 VID  Next payload: NONE, reserved: 0x0, length: 21

Apr 28 22:26:46.254: IKEv2:Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: INITIATOR Message id: 0, length: 252
Payload contents:
 SA  Next payload: KE, reserved: 0x0, length: 44
  last proposal: 0x0, reserved: 0x0, length: 40
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4    last transform: 0x3, reserved: 0x0: length: 8
    type: 1, reserved: 0x0, id: 3DES
    last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA1
    last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96
    last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
 KE  Next payload: N, reserved: 0x0, length: 136
    DH group: 2, Reserved: 0x0
 N  Next payload: NOTIFY, reserved: 0x0, length: 36
 NOTIFY(Unknown - 16430)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: Unknown - 0, spi size: 0, type: Unknown - 0

Apr 28 22:26:46.258: IKEv2:(SESSION ID = 495,SA ID = 2):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE Message id: 0, length: 276
Payload contents:
 SA  Next payload: KE, reserved: 0x0, length: 44
  last proposal: 0x0, reserved: 0x0, length: 40
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4    last transform: 0x3, reserved: 0x0: length: 8
    type: 1, reserved: 0x0, id: 3DES
    last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA1
    last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96
    last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
 KE  Next payload: N, reserved: 0x0, length: 136
    DH group: 2, Reserved: 0x0
 N  Next payload: VID, reserved: 0x0, length: 24
 VID  Next payload: VID, reserved: 0x0, length: 23
 VID  Next payload: NONE, reserved: 0x0, length: 21