Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
654
Views
0
Helpful
3
Replies

IKEv2 SAs: Status:UP-IDLE FDM on FMC to Azure S2S VPN stops after 1 hr

MXUser
Level 1
Level 1

‎08-04-2023 03:33 PM

Hi All

I have a Firepower 1140 on FMC, I configured a tunnel to Azure VPN GW, and the tunnel goes up, after exactly 1 hour it goes into IDLE state.. the lifetime settings are the same on both sides, I have a similar FTD managed box with the same connection parameters that connects to the same S2S with no issues! (we failover to the other machine when needed) 

The tunnel goes up only after I issue a command to reset it: clear crypto ikev2 sa <ip of Azure VPN GW>

The FMC throws this error in the dashboard: VPN Status Azure-VPN - VPN Tunnel between LOCALFW1/outside-static-ip/xx.xx.xx.xx/192.168.160.0 and Extranet Device/xx.xx.xx.xx/10.1.0.0 is inactive due to IKE Delete.

This is when up and working:

> show isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:37, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote fvrf/ivrf Status Role
215933001 xx.xx.xx.xx/500 xx.xx.xx.xx/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 3600/1521 sec
Child sa: local selector 192.168.160.0/0 - 192.168.191.255/65535
remote selector 10.1.0.0/0 - 10.1.15.255/65535
ESP spi in/out: 0xa5854000/0x1fa4000

And this when IDLE:

> show isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:36, Status:UP-IDLE, IKE count:1, CHILD count:0

Tunnel-id Local Remote fvrf/ivrf Status Role
2218685083 xx.xx.xx.xx/500 xx.xx.xx.xx/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 3600/456 sec

Thank you in advance..

 

 

Labels:
0 Helpful
3 Replies 3

MXUser
Level 1
Level 1

‎08-06-2023 08:13 PM

As a workaround we ended up scripting a code to kill the session so it reestablishes itself.. and a ticket is open with Cisco to see why this is happening..

0 Helpful

Georg Pauwen
VIP
VIP
In response to MXUser

‎08-06-2023 11:57 PM

Hello, 

just a thought: one of the IPSec options is, as far as I recall, the kilobytes lifetime:

Lifetime (kbytes)
The volume of traffic (in kilobytes) that can pass between IPsec peers using a given security association before it expires. The default is 4,608,000 kilobytes. Infinite data is not allowed.

You might want to check if that is the same on both devices, or change the value...

0 Helpful

MXUser
Level 1
Level 1
In response to Georg Pauwen

‎08-07-2023 09:36 AM

Hi Georg, the value is set to a higher number same as on the working Firewall configuration.. this on the other side it should be ok..

0 Helpful
Customers Also Viewed These Support Documents