Solved: IKEv2 SA not expiring

Jay47110 · ‎01-17-2019

Hi,

I'm trying to understand why on 1 of my policy based (crypto map) IKEv2 IPSec the IKEv2 SA's are not expiring and are going way over their lifetime; Which caused new SAs to generate and thus I am seeing a whole bunch of SAs while the old ones are still active. Even after I manually clear the SAs they still stay up.

Does any one know how and why this is happening and how can I fix this behaviour?

PS: I am using a Cisco ASR1001 but am unsure of the remote side.

ACTIVE ONE:

Tunnel-id     Local                 Remote                fvrf/ivrf            Status
60            1.1.1.1/500       2.2.2.2/500          FVRF/IVRF          READY
      Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 36000/7621 sec ------ (Active time is lower than Lifetime as expected)

ALL MANUALLY DELETED ONES THAT ARE STILL ACTIVE: As you can see the Active time has way surpassed Lifetime. And I have manually deleted the SAs using "clear crypto ikev2 sa" but they still show up here.

Tunnel-id Local                 Remote                fvrf/ivrf            Status
42       1.1.1.1/500      2.2.2.2/500              FVRF/IVRF         DELETE
      Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 36000/457740 sec

Tunnel-id Local                 Remote                fvrf/ivrf            Status
40        1.1.1.1/500    2.2.2.2/500      FVRF/IVRF         DELETE
      Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 36000/493743 sec

Tunnel-id Local                 Remote                fvrf/ivrf            Status
39        1.1.1.1/500    2.2.2.2/500      FVRF/IVRF         DELETE
      Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 36000/529759 sec

Tunnel-id Local                 Remote                fvrf/ivrf            Status
34        1.1.1.1/500    2.2.2.2/500      FVRF/IVRF         DELETE
      Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 36000/565760 sec

THUS Showing a whole lot of IPSec Phase2 SAs:

Router#show crypto session brief
Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating
        K - No IKE
ivrf = IVRF
      Peer     I/F                            Group/Phase1_id   Uptime Status
   2.2.2.2 gig1 /1                            2.2.2.2             1w4d    UA
   2.2.2.2 gig1/1                             2.2.2.2             1w5d    UA
   2.2.2.2 gig1/1                             2.2.2.2             6d23h    UA
   2.2.2.2 gig1/1                             2.2.2.2             1w3d    UA
   2.2.2.2 gig1/1                             2.2.2.2             1d03h    UA

Kind regards

Sheraz.Salim · ‎01-17-2019

Agree it most likely to be a bug. If you have a support/smart contract open and case with TAC. it would advise you which IOS is best to upgrade on your router.

found this bug similar to your router family CSCua10556

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎01-17-2019

have a look on this document you will find your answer.

https://www.cisco.com/c/en/us/td/docs/wireless/asr_5000/20/IPSec/b_20_IPSec/b_20_IPSec_chapter_01011.pdf

also take in account that your peer router/fiewall have the same time setting. it could be your routers want to clear the SA but other site is not in the same time clock to clear it.

please do not forget to rate.

Rob Ingram · ‎01-17-2019

Hi,
Do you have DPD (Dead Peer Detection) configured on your ASR?
What IOS version is the router currently running?

Jay47110 · ‎01-17-2019

Thanks @Sheraz.Salim and @Rob Ingram for the response.

@Sheraz.Salim: I have read through this doc and it also states that once rekeying of a new SA is done after a while both parties stop sending traffic over the old SA and start using the new; which is what I would expect. The doc also says that even if no Delete SA message is received from the remote peer, it uses a timer to expire the SA. But in my case the old SAs never expire.

Well the remote router is in a +1hr GMT zone but why would that make any difference. Also if you have a look at the Phase 2 SA stats I posted, multiple of those SAs have been up for over a week.

@Rob IngramYes DPD is configured as "dpd 60 5 periodic" and I am on IOS XE Version 03.13.10.S

Mohammed al Baqari · ‎01-17-2019

IOS version is pretty old and I suggest that you plan an upgrade and see.

Mohammed al Baqari · ‎01-17-2019

You might be hitting a bug. The SA status is showing delete which means
that the IPSEC should be cleared as well because this one of the properties
of IKEv2 (P1 and P2 SAs are consistent and clear together.)

Jay47110 · ‎01-17-2019

Yeah it could be a bug. I will try and raise it with cisco TAC and see if they confirm.

The SA status is indeed saying delete because I manually cleared the IKEv2 SA but they never actually expire. same goes for IPSec SA i.e. P2.

Kind regards

Sheraz.Salim · ‎01-17-2019

Agree it most likely to be a bug. If you have a support/smart contract open and case with TAC. it would advise you which IOS is best to upgrade on your router.

found this bug similar to your router family CSCua10556

please do not forget to rate.

Jay47110 · ‎01-17-2019

Thanks all. Much appreciated.

Kind regards