IKEv2 Tunnel reset after 24 Hours

maninder.negi@intl.verizon.com · ‎06-06-2018

Dear Members,

Please help me out one of behavior I am facing in my customer network.

We are running IKEv2 on one pf the gre tunnel and that tunnel keep reset after every 24 Hours . On rest of tunnel we are running IKEv1 but those tunnel don't get reset.

Can someone enlighten me why I am facing such a behavior

Security association lifetime value are default.

Rob Ingram · ‎06-07-2018

Hi,
What devices are you using? Cisco IOS routers? On both ends?
When you say the tunnel is reset every 24 hours, do you mean the tunnel is down and you have to manually get it working again?
Do you have DPD configured?

maninder.negi@intl.verizon.com · ‎06-07-2018

Thanks for response.

Please find your answers below:

Spoke site is CISCO881-SEC-K9

Hub is CISCO2921

DPD is configured.

crypto ikev2 dpd 40 5 on-demand

In general Tunnel up time never goes beyond 24 Hours. Once tunnel uptime reach 24 hours it uptime timers once again start.

Rob Ingram · ‎06-07-2018

Are you referring to the IKEv2 timers? As default, these are 24hours, after the timers expires new IKEv2 SAs are negotiated and it starts again. That is to be expected.

Are you experiencing any downtime?
Which command are you running to view these timers?

maninder.negi@intl.verizon.com · ‎06-07-2018

I am running sh crypto session details to see the output and yes I am referring to Ikev2 timers.

My concern is that why for ikev1 tunnels uptime is more than 24 hours, even though we have manually configured set security-association lifetime for 8 Hours and for ikev2 it is not more than 24 Hours.

Just want to know logic.

As tunnel up time is less than 24 Hours I am not able to handover the router to other team.

Rob Ingram · ‎06-07-2018

IKE is the control-plane, it is used to securely authenticate peers, if successful a bi-directional tunnel is setup, through which the IPSec SA can be negotiated. Once IPSec SA successfully negotiated, 2 unidirections IPSec SAs are created and subsequently data is transmitted through the IPSec tunnel securely.

IKEv1 or v2 are always regularly renegotiated, usually the lifetime is no more than 24 hours.

Unless you are saying the tunnel is dropping, then the fact that the IKE SAs only ever last 24hours, then this is to be expected. New IKE SAs are negotiated for security reasons. You don't want IKE (either v1 or v2) SAs to last for much longer than 24 hours.

maninder.negi@intl.verizon.com · ‎06-07-2018

Even I think so but not able to figure out why for Ikev1 tunnel uptime is more than 24 Hours?

just want to know one thing if suppose no traffic goes via Ikev2 tunnel for last 24 Hours then ikev2 tunnel uptime timer will reset?

Rob Ingram · ‎06-07-2018

Without seeing the configuration of your other IKEv1 tunnels I won't be able to say. They are separate protocols, and behave differently.

The uptime counter displayed when you run "show crypto session detailed", this refers to how long since this SA has been rekeyed/renegotiated. This is reset to zero once a new IKEv2 SA has been created. The lifetime counter, displays how long left until rekeying/renegotiation.

When the IKEv2 rekeying takes place, the tunnel does not drop and traffic is sent/received without disruption.

I can see why the uptime counter could be misinterpreted.

HTH