07-19-2019 09:58 AM
Hello,
I Currently have a Cisco 2911/K9 router with about 110 IKEv2 site-to-site tunnels configured. About 98% of them work seamlessly, however we have about 3 clients that we continue to have intermittent issues with. I have setup debugs and embedded captures with Cisco TAC but the root cause always seems to be unknown. With the few clients we are having the problems with, I have verified all phase1 and phase2 setting match identical. Two of the clients are using ASA's and the other is using Check Point. One specific client is using an ASA and his side of the tunnel will occasionally go down, however when I go to look at the tunnel, my side will show UP-ACTIVE. We use PSK for authentication with all clients, phase1 we are using AES-256, SHA-256, DH-14 24hr lifetime, phase2 we are using ESP, AES-256, SHA-256, lifetime 1 hour, no PFS.
Please ask any questions, I'll be happy to provide any information.
Thanks
07-19-2019 04:06 PM
07-20-2019 12:02 PM
I am interested in this part of the original post
One specific client is using an ASA and his side of the tunnel will occasionally go down, however when I go to look at the tunnel, my side will show UP-ACTIVE.
what commands are you using to see this? Can you post that output? If you execute the command(s), wait a bit, and execute again does the output change?
HTH
Rick
07-22-2019 07:16 AM
07-22-2019 06:41 AM
07-23-2019 02:41 PM
07-24-2019 08:11 AM
Francesco, I will try to get the client to do a capture/debug, however sometimes the clients aren't always the most cooperative.
Thanks,
Steve
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide