Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3876
Views
4
Helpful
2
Replies

IKEv2 L2L tunnel SA rekey sporadically failing

James Leinweber
Enthusiast
Enthusiast

‎07-17-2013 01:54 PM

I have an IPsec L2L tunnel between two ASA 5525-x firewalls running 9.0(2), negotiating IKEv2 with certificate authentication of the endpoints.  Frequently, as expected, SA's will rekey due to time or data rollover, logging things like %ASA-7-702307 ... is rekeying due to data rollover.

Sometimes, maybe 10% of the time, both ends try to rekey and the collision detection kicks in and deletes one of the sets of newly proposed replacement SA's.  The winner logs  %ASA-5-750005: ... IPsec rekey collision detected.  I am lowest nonce initiator, deleting SA ... while the loser logs

%ASA-4-750003: ... Negotiation aborted due to ERROR: Failed to insert SA due to ipsec rekey collision.  The new surviving SA pair takes over and my packets continue to flow across the tunnel.

Once in a while, the rekey fails, the tunnel dies, and ongoing TCP sessions crash.  In this case at least one side will log something like:

%ASA-5-750007: ... SA DOWN. Reason: IPsec rekey collision handling failed

%ASA-4-113019: ... Session disconnected. Session Type: LAN-to-LAN, Duration: ... Reason: Phase 2 Error

Has anyone else seen this?

Does anyone have a fix or a workaround, like upgrading to 9.1 firmware, or downgrading to IKEv1 negotations, or some mystical tweak to the tunnel-group settings?

I'm not sure if it's killing 100% of the TCP sessions when the tunnel is renegotiated from scratch, or just the active ones, but our operational annoyance for the users and DBA's re-establishing application sessions and unlocking orphaned transactions is considerable.  We could probably tolerate the 2 second wait for the tunnel to come back up, but not the dead TCP sessions.

My google-fu isn't turnning up a lot of examples of this, and I've opened a TAC about it too, but I'm hoping someone might have additional insight.

-- Jim Leinweber, WI State Lab of Hygiene

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎07-17-2013 02:01 PM

Hi,

Have you tried using the command

sysopt connection preserve-vpn-flows

It should preserve the TCP connections which are formed through a VPN connection if/when the VPN connections for example does a renegotiation.

To my understanding it should also help if the whole VPN connection goes down but comes back up before the global timeout values kick in.

As for the actual L2L VPN problem I have no clue. Only similiar thing I have constantly happening on only a single L2L VPN. Every now and the VPN gets stuck at rekey and the only solution is to reset/loggoff the whole connection.

- Jouni

bhushan.kavishwar
Beginner
Beginner
In response to Jouni Forss

‎01-22-2018 10:16 AM

We have faced similar issue and there are 2 work around as there is bug in ASA IOS 

 

1) crypto map outside-map 2 set security-association lifetime kilobytes unlimited

 

set security association liftime to kilibytes unlimited 

 

2) Upgrade the ASA to the latest 9.4.2 interim version which is 9.4.2.25 or any of the higher  recommended versions.

 

1st option has security hole as rekey function will not work in that option.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents