cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3312
Views
4
Helpful
2
Replies

IKEv2 L2L tunnel SA rekey sporadically failing

James Leinweber
Enthusiast
Enthusiast

I have an IPsec L2L tunnel between two ASA 5525-x firewalls running 9.0(2), negotiating IKEv2 with certificate authentication of the endpoints.  Frequently, as expected, SA's will rekey due to time or data rollover, logging things like %ASA-7-702307 ... is rekeying due to data rollover.

Sometimes, maybe 10% of the time, both ends try to rekey and the collision detection kicks in and deletes one of the sets of newly proposed replacement SA's.  The winner logs  %ASA-5-750005: ... IPsec rekey collision detected.  I am lowest nonce initiator, deleting SA ... while the loser logs

%ASA-4-750003: ... Negotiation aborted due to ERROR: Failed to insert SA due to ipsec rekey collision.  The new surviving SA pair takes over and my packets continue to flow across the tunnel.

Once in a while, the rekey fails, the tunnel dies, and ongoing TCP sessions crash.  In this case at least one side will log something like:

%ASA-5-750007: ... SA DOWN. Reason: IPsec rekey collision handling failed

%ASA-4-113019: ... Session disconnected. Session Type: LAN-to-LAN, Duration: ... Reason: Phase 2 Error

Has anyone else seen this?

Does anyone have a fix or a workaround, like upgrading to 9.1 firmware, or downgrading to IKEv1 negotations, or some mystical tweak to the tunnel-group settings?

I'm not sure if it's killing 100% of the TCP sessions when the tunnel is renegotiated from scratch, or just the active ones, but our operational annoyance for the users and DBA's re-establishing application sessions and unlocking orphaned transactions is considerable.  We could probably tolerate the 2 second wait for the tunnel to come back up, but not the dead TCP sessions.

My google-fu isn't turnning up a lot of examples of this, and I've opened a TAC about it too, but I'm hoping someone might have additional insight.

-- Jim Leinweber, WI State Lab of Hygiene

2 Replies 2

Jouni Forss
Mentor
Mentor

Hi,

Have you tried using the command

sysopt connection preserve-vpn-flows

It should preserve the TCP connections which are formed through a VPN connection if/when the VPN connections for example does a renegotiation.

To my understanding it should also help if the whole VPN connection goes down but comes back up before the global timeout values kick in.

As for the actual L2L VPN problem I have no clue. Only similiar thing I have constantly happening on only a single L2L VPN. Every now and the VPN gets stuck at rekey and the only solution is to reset/loggoff the whole connection.

- Jouni

We have faced similar issue and there are 2 work around as there is bug in ASA IOS 

 

1) crypto map outside-map 2 set security-association lifetime kilobytes unlimited

 

set security association liftime to kilibytes unlimited 

 

2) Upgrade the ASA to the latest 9.4.2 interim version which is 9.4.2.25 or any of the higher  recommended versions.

 

1st option has security hole as rekey function will not work in that option.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers