Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3883
Views
4
Helpful
2
Replies

IKEv2 L2L tunnel SA rekey sporadically failing

James Leinweber
Enthusiast
Enthusiast

‎07-17-2013 01:54 PM

I have an IPsec L2L tunnel between two ASA 5525-x firewalls running 9.0(2), negotiating IKEv2 with certificate authentication of the endpoints.  Frequently, as expected, SA's will rekey due to time or data rollover, logging things like %ASA-7-702307 ... is rekeying due to data rollover.

Sometimes, maybe 10% of the time, both ends try to rekey and the collision detection kicks in and deletes one of the sets of newly proposed replacement SA's.  The winner logs  %ASA-5-750005: ... IPsec rekey collision detected.  I am lowest nonce initiator, deleting SA ... while the loser logs

%ASA-4-750003: ... Negotiation aborted due to ERROR: Failed to insert SA due to ipsec rekey collision.  The new surviving SA pair takes over and my packets continue to flow across the tunnel.

Once in a while, the rekey fails, the tunnel dies, and ongoing TCP sessions crash.  In this case at least one side will log something like:

%ASA-5-750007: ... SA DOWN. Reason: IPsec rekey collision handling failed

%ASA-4-113019: ... Session disconnected. Session Type: LAN-to-LAN, Duration: ... Reason: Phase 2 Error

Has anyone else seen this?

Does anyone have a fix or a workaround, like upgrading to 9.1 firmware, or downgrading to IKEv1 negotations, or some mystical tweak to the tunnel-group settings?

I'm not sure if it's killing 100% of the TCP sessions when the tunnel is renegotiated from scratch, or just the active ones, but our operational annoyance for the users and DBA's re-establishing application sessions and unlocking orphaned transactions is considerable.  We could probably tolerate the 2 second wait for the tunnel to come back up, but not the dead TCP sessions.

My google-fu isn't turnning up a lot of examples of this, and I've opened a TAC about it too, but I'm hoping someone might have additional insight.

-- Jim Leinweber, WI State Lab of Hygiene

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎07-17-2013 02:01 PM

Hi,

Have you tried using the command

sysopt connection preserve-vpn-flows

It should preserve the TCP connections which are formed through a VPN connection if/when the VPN connections for example does a renegotiation.

To my understanding it should also help if the whole VPN connection goes down but comes back up before the global timeout values kick in.

As for the actual L2L VPN problem I have no clue. Only similiar thing I have constantly happening on only a single L2L VPN. Every now and the VPN gets stuck at rekey and the only solution is to reset/loggoff the whole connection.

- Jouni