IKEv2 Site to Site - ASA & Checkpoint

JHarris6117 · ‎03-07-2019

Community,

Need some help determining what is breaking a site to site between an ASA and a Checkpoint.

The tunnel comes up fine and stays established for a while, but randomly begins to experience an odd re key, that seems to bring down the tunnel and keeps it down while ESP discards occur for 15 minutes. (Note: there doesn't appear to be a time between failures, its random, sometimes days, sometimes weeks).

Pretty sure the transform sets and timers and traffic selectors match on both sides.

Log synopsis:

1) Remote Peer requests a rekey

2) ASA drops SA w/ Reason: Unknown

3) For approx 15 minutes ASA logs show ESP request discarded for this peer

4) SA gets re-established after 15 minutes

<166>Mar 07 2019 09:46:52 L2LVPN : %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x545CF3A9) between <LocalPeerIP> and <RemotePeerIP> (user= <RemotePeerIP>) has been created.
<166>Mar 07 2019 09:46:52 L2LVPN : %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xD4176DE0) between <LocalPeerIP> and <RemotePeerIP> (user= <RemotePeerIP>) has been created.
<165>Mar 07 2019 09:46:52 L2LVPN : %ASA-5-750006: Local:<LocalPeerIP>:500 Remote:<RemotePeerIP>:500 Username:<RemotePeerIP> IKEv2 SA UP. Reason: New Connection Established
<167>Mar 07 2019 09:44:51 L2LVPN : %ASA-7-710006: ESP request discarded from <RemotePeerIP> to EXTERNAL:<LocalPeerIP>
<167>Mar 07 2019 09:39:53 L2LVPN : %ASA-7-710006: ESP request discarded from <RemotePeerIP> to EXTERNAL:<LocalPeerIP>
<167>Mar 07 2019 09:39:44 L2LVPN : %ASA-7-710006: ESP request discarded from <RemotePeerIP> to EXTERNAL:<LocalPeerIP>
<167>Mar 07 2019 09:39:43 L2LVPN : %ASA-7-710006: ESP request discarded from <RemotePeerIP> to EXTERNAL:<LocalPeerIP>
<167>Mar 07 2019 09:39:43 L2LVPN : %ASA-7-710006: ESP request discarded from <RemotePeerIP> to EXTERNAL:<LocalPeerIP>
<167>Mar 07 2019 09:34:32 L2LVPN : %ASA-7-710006: ESP request discarded from <RemotePeerIP> to EXTERNAL:<LocalPeerIP>
<167>Mar 07 2019 09:34:23 L2LVPN : %ASA-7-710006: ESP request discarded from <RemotePeerIP> to EXTERNAL:<LocalPeerIP>
<167>Mar 07 2019 09:34:22 L2LVPN : %ASA-7-710006: ESP request discarded from <RemotePeerIP> to EXTERNAL:<LocalPeerIP>
<167>Mar 07 2019 09:34:22 L2LVPN : %ASA-7-710006: ESP request discarded from <RemotePeerIP> to EXTERNAL:<LocalPeerIP>
<167>Mar 07 2019 09:33:14 L2LVPN : %ASA-7-710006: ESP request discarded from <RemotePeerIP> to EXTERNAL:<LocalPeerIP>
<167>Mar 07 2019 09:33:05 L2LVPN : %ASA-7-710006: ESP request discarded from <RemotePeerIP> to EXTERNAL:<LocalPeerIP>
<167>Mar 07 2019 09:33:05 L2LVPN : %ASA-7-710006: ESP request discarded from <RemotePeerIP> to EXTERNAL:<LocalPeerIP>
<167>Mar 07 2019 09:33:05 L2LVPN : %ASA-7-710006: ESP request discarded from <RemotePeerIP> to EXTERNAL:<LocalPeerIP>
<167>Mar 07 2019 09:32:02 L2LVPN : %ASA-7-710006: ESP request discarded from <RemotePeerIP> to EXTERNAL:<LocalPeerIP>
<167>Mar 07 2019 09:31:56 L2LVPN : %ASA-7-710006: ESP request discarded from <RemotePeerIP> to EXTERNAL:<LocalPeerIP>
<167>Mar 07 2019 09:31:44 L2LVPN : %ASA-7-710006: ESP request discarded from <RemotePeerIP> to EXTERNAL:<LocalPeerIP>
<167>Mar 07 2019 09:31:44 L2LVPN : %ASA-7-710006: ESP request discarded from <RemotePeerIP> to EXTERNAL:<LocalPeerIP>
<167>Mar 07 2019 09:31:44 L2LVPN : %ASA-7-710006: ESP request discarded from <RemotePeerIP> to EXTERNAL:<LocalPeerIP>
<167>Mar 07 2019 09:31:02 L2LVPN : %ASA-7-710006: ESP request discarded from <RemotePeerIP> to EXTERNAL:<LocalPeerIP>
<167>Mar 07 2019 09:30:36 L2LVPN : %ASA-7-710006: ESP request discarded from <RemotePeerIP> to EXTERNAL:<LocalPeerIP>
<167>Mar 07 2019 09:30:15 L2LVPN : %ASA-7-710006: ESP request discarded from <RemotePeerIP> to EXTERNAL:<LocalPeerIP>
<167>Mar 07 2019 09:30:06 L2LVPN : %ASA-7-710006: ESP request discarded from <RemotePeerIP> to EXTERNAL:<LocalPeerIP>
<167>Mar 07 2019 09:30:06 L2LVPN : %ASA-7-710006: ESP request discarded from <RemotePeerIP> to EXTERNAL:<LocalPeerIP>
<167>Mar 07 2019 09:30:06 L2LVPN : %ASA-7-710006: ESP request discarded from <RemotePeerIP> to EXTERNAL:<LocalPeerIP>
<167>Mar 07 2019 09:25:24 L2LVPN : %ASA-7-609002: Teardown local-host EXTERNAL:<RemotePeerIP> duration 0:04:02
<166>Mar 07 2019 09:23:28 L2LVPN : %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xA0447D31) between <LocalPeerIP> and <RemotePeerIP> (user= <RemotePeerIP>) has been deleted.
<166>Mar 07 2019 09:23:28 L2LVPN : %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x86EF6605) between <RemotePeerIP> and <LocalPeerIP> (user= <RemotePeerIP>) has been deleted.
<165>Mar 07 2019 09:23:28 L2LVPN : %ASA-5-750007: Local:<LocalPeerIP>:500 Remote:<RemotePeerIP>:500 Username:<RemotePeerIP> IKEv2 SA DOWN. Reason: unknown
<165>Mar 07 2019 09:21:22 L2LVPN : %ASA-5-750001: Local:<LocalPeerIP>:500 Remote:<RemotePeerIP>:500 Username:<RemotePeerIP> IKEv2 Received request to rekey an IPsec tunnel; local traffic selector = Address Range: 10.50.50.50-10.50.50.50 Protocol: 0 Port Range: 0-65535 ; remote traffic selector = Address Range: 1.16.2.2-1.16.2.2 Protocol: 0 Port Range: 0-65535
<165>Mar 07 2019 02:20:40 L2LVPN : %ASA-5-750007: Local:<LocalPeerIP>:500 Remote:<RemotePeerIP>:500 Username:<RemotePeerIP> IKEv2 SA DOWN. Reason: Parent SA Rekeyed
<165>Mar 07 2019 02:20:40 L2LVPN : %ASA-5-750006: Local:<LocalPeerIP>:500 Remote:<RemotePeerIP>:500 Username:<RemotePeerIP> IKEv2 SA UP. Reason: Parent SA Rekeyed
<166>Mar 07 2019 02:14:51 L2LVPN : %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x86EF6605) between <LocalPeerIP> and <RemotePeerIP> (user= <RemotePeerIP>) has been created.
<166>Mar 07 2019 02:14:51 L2LVPN : %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xA0447D31) between <LocalPeerIP> and <RemotePeerIP> (user= <RemotePeerIP>) has been created.
<166>Mar 07 2019 01:51:21 L2LVPN : %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x8F2A723D) between <LocalPeerIP> and <RemotePeerIP> (user= <RemotePeerIP>) has been deleted.
<166>Mar 07 2019 01:51:21 L2LVPN : %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x105287B5) between <RemotePeerIP> and <LocalPeerIP> (user= <RemotePeerIP>) has been deleted.
<166>Mar 06 2019 18:21:11 L2LVPN : %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x8F2A723D) between <LocalPeerIP> and <RemotePeerIP> (user= <RemotePeerIP>) has been created.
<166>Mar 06 2019 18:21:11 L2LVPN : %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x105287B5) between <LocalPeerIP> and <RemotePeerIP> (user= <RemotePeerIP>) has been created.
<166>Mar 06 2019 18:21:11 L2LVPN : %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xEA931872) between <LocalPeerIP> and <RemotePeerIP> (user= <RemotePeerIP>) has been deleted.
<165>Mar 06 2019 18:21:11 L2LVPN : %ASA-5-750006: Local:<LocalPeerIP>:500 Remote:<RemotePeerIP>:500 Username:<RemotePeerIP> IKEv2 SA UP. Reason: New Connection Established
<166>Mar 06 2019 18:21:11 L2LVPN : %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xF54F89AF) between <RemotePeerIP> and <LocalPeerIP> (user= <RemotePeerIP>) has been deleted.
<165>Mar 06 2019 18:21:11 L2LVPN : %ASA-5-750007: Local:<LocalPeerIP>:500 Remote:<RemotePeerIP>:500 Username:<RemotePeerIP> IKEv2 SA DOWN. Reason: application initiated

balaji.bandi · ‎03-07-2019

This is hard to say where it gone wrong, so first level what is the version of ASA and Checkpoint, if possible post both the side configuraiton to understand the better.

what is the logs on Checkpoint side ? when the VPN tear down. ?

Do you see that time underlay Internet or MPLS connection is ok ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Alaa Darwish · ‎08-28-2019

Where anyone able to find a solution for this issue? ,or even understand what is going on?