Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
623
Views
5
Helpful
2
Replies

IPSEC SA lifetime and tunnel up down

yangminbo
Level 1
Level 1

‎12-28-2022 12:29 AM

The first question:

My SA lifetime is 28800s, my peer lifetime is 120s

.Dec 26 2022 19:35:03.366 HKT: ISAKMP: (71062): SA life type in seconds
.Dec 26 2022 19:35:03.366 HKT: ISAKMP: (71062): SA life duration (basic) of 28800

.Dec 26 2022 19:35:03.369 HKT: ISAKMP: (71062): responder lifetime of 120s
.Dec 26 2022 19:35:03.369 HKT: ISAKMP: (71062):responder lifetime of 4608000kb

When SA was created, it is 110s as follow. WHY?

.Dec 26 2022 19:35:03.369 HKT: IPSEC(create_sa): sa created,
(sa) sa_dest= 183.91.147.49, sa_proto= 50,
sa_spi= 0x4A3D005E(1245511774),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 42477
sa_lifetime(k/sec)= (0/110),
(identity) local= 183.91.147.49:0, remote= 218.247.143.199:0,
local_proxy= 10.122.104.113/255.255.255.255/47/0,
remote_proxy= 10.122.104.114/255.255.255.255/47/0
.Dec 26 2022 19:35:03.369 HKT: IPSEC(create_sa): sa created,
(sa) sa_dest= 218.247.143.199, sa_proto= 50,
sa_spi= 0xE5406878(3846203512),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 42478
sa_lifetime(k/sec)= (0/110),

 

The second question:

My ipsec tunnel is up down frequently ,i have debug some infomation as follow.

It was down at 19:37:40.691

[BEGIN] 2022/12/26 19:34:13
e:183.91.147.49 remote_id:315482820-PI-E01 IKE profile:315482820-PI-E01 fvrf:None fail_reason:Peer lost fail_class_cnt:1
.Dec 26 2022 19:34:27.122 HKT: %CRYPTO-5-IKMP_SETUP_FAILURE: IKE SETUP FAILED for local:59.46.197.238 local_id:59.46.197.238 remote:183.91.147.49 remote_id:315482820-PI-E01 IKE profile:315482820-PI-E01 fvrf:None fail_reason:Peer lost fail_class_cnt:2
.Dec 26 2022 19:34:33.369 HKT: ISAKMP: (71062):purging node 2880429118
.Dec 26 2022 19:34:34.189 HKT: %CRYPTO-5-IKMP_SETUP_FAILURE: IKE SETUP FAILED for local:110.180.240.68 local_id:110.180.240.68 remote:183.91.147.49 remote_id:183.91.147.49 IKE profile:None fvrf:None fail_reason:Proposal failure fail_class_cnt:1
.Dec 26 2022 19:34:38.820 HKT: ISAKMP: (71062):purging node 2616265482
.Dec 26 2022 19:34:57.181 HKT: %CRYPTO-5-IKMP_SETUP_FAILURE: IKE SETUP FAILED for local:59.46.197.238 local_id:59.46.197.238 remote:183.91.147.49 remote_id:315482820-PI-E01 IKE profile:315482820-PI-E01 fvrf:None fail_reason:Peer lost fail_class_cnt:1
.Dec 26 2022 19:35:03.304 HKT: IPSEC(lifetime_expiry): SA lifetime threshold reached, expiring in 30 seconds
.Dec 26 2022 19:35:03.304 HKT: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 183.91.147.49:4500, remote= 218.247.143.199:22243,
local_proxy= 10.122.104.113/255.255.255.255/47/0,
remote_proxy= 10.122.104.114/255.255.255.255/47/0,
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 28800s and 4294967295kb,
spi= 0x6FADAE80(1873653376), conn_id= 0, keysize= 0, flags= 0x0
.Dec 26 2022 19:35:03.305 HKT: ISAKMP: (71062):set new node 0 to QM_IDLE
.Dec 26 2022 19:35:03.305 HKT: ISAKMP: (71062):SA has outstanding requests (local 183.91.147.49 port 4500, remote 218.247.143.199 port 22243)
.Dec 26 2022 19:35:03.305 HKT: ISAKMP: (71062):sitting IDLE. Starting QM immediately (QM_IDLE )
.Dec 26 2022 19:35:03.305 HKT: ISAKMP: (71062):beginning Quick Mode exchange, M-ID of 1635504746
.Dec 26 2022 19:35:03.306 HKT: ISAKMP: (71062):QM Initiator gets spi
.Dec 26 2022 19:35:03.307 HKT: ISAKMP-PAK: (71062):sending packet to 218.247.143.199 my_port 4500 peer_port 22243 (R) QM_IDLE
.Dec 26 2022 19:35:03.307 HKT: ISAKMP: (71062):Sending an IKE IPv4 Packet.
.Dec 26 2022 19:35:03.307 HKT: ISAKMP: (71062):Node 1635504746, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
.Dec 26 2022 19:35:03.307 HKT: ISAKMP: (71062):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
.Dec 26 2022 19:35:03.366 HKT: ISAKMP-PAK: (71062):received packet from 218.247.143.199 dport 4500 sport 22243 Global (R) QM_IDLE
.Dec 26 2022 19:35:03.366 HKT: ISAKMP: (71062):processing HASH payload. message ID = 1635504746
.Dec 26 2022 19:35:03.366 HKT: ISAKMP: (71062):processing SA payload. message ID = 1635504746
.Dec 26 2022 19:35:03.366 HKT: ISAKMP: (71062):Checking IPSec proposal 1
.Dec 26 2022 19:35:03.366 HKT: ISAKMP: (71062):transform 1, ESP_3DES
.Dec 26 2022 19:35:03.366 HKT: ISAKMP: (71062): attributes in transform:
.Dec 26 2022 19:35:03.366 HKT: ISAKMP: (71062): encaps is 3 (Tunnel-UDP)
.Dec 26 2022 19:35:03.366 HKT: ISAKMP: (71062): SA life type in seconds
.Dec 26 2022 19:35:03.366 HKT: ISAKMP: (71062): SA life duration (basic) of 28800
.Dec 26 2022 19:35:03.366 HKT: ISAKMP: (71062): SA life type in kilobytes
.Dec 26 2022 19:35:03.366 HKT: ISAKMP: SA life duration (VPI) of 0xFF 0xFF 0xFF 0xFF
.Dec 26 2022 19:35:03.367 HKT: ISAKMP: (71062): authenticator is HMAC-SHA
.Dec 26 2022 19:35:03.367 HKT: ISAKMP: (71062): group is 2
.Dec 26 2022 19:35:03.367 HKT: ISAKMP: (71062):atts are acceptable.
.Dec 26 2022 19:35:03.367 HKT: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 183.91.147.49:0, remote= 218.247.143.199:0,
local_proxy= 10.122.104.113/255.255.255.255/47/0,
remote_proxy= 10.122.104.114/255.255.255.255/47/0,
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
.Dec 26 2022 19:35:03.367 HKT: (ipsec_process_proposal)Map Accepted: 315434320-E01, 1
.Dec 26 2022 19:35:03.367 HKT: ISAKMP: (71062):processing NONCE payload. message ID = 1635504746
.Dec 26 2022 19:35:03.367 HKT: ISAKMP: (71062):processing KE payload. message ID = 1635504746
.Dec 26 2022 19:35:03.368 HKT: ISAKMP: (71062):processing ID payload. message ID = 1635504746
.Dec 26 2022 19:35:03.368 HKT: ISAKMP: (71062):processing ID payload. message ID = 1635504746
.Dec 26 2022 19:35:03.369 HKT: ISAKMP: (71062):processing NOTIFY RESPONDER_LIFETIME protocol 3
spi 3846203512, message ID = 1635504746, sa = 0x80007FC5B95F5CC8
.Dec 26 2022 19:35:03.369 HKT: ISAKMP: (71062):processing responder lifetime
.Dec 26 2022 19:35:03.369 HKT: ISAKMP: (71062): responder lifetime of 120s
.Dec 26 2022 19:35:03.369 HKT: ISAKMP: (71062):responder lifetime of 4608000kb
.Dec 26 2022 19:35:03.369 HKT: ISAKMP: (71062):Node 1635504746, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
.Dec 26 2022 19:35:03.369 HKT: ISAKMP: (71062):Old State = IKE_QM_I_QM1 New State = IKE_QM_IPSEC_INSTALL_AWAIT
.Dec 26 2022 19:35:03.369 HKT: IPSEC(create_sa): sa created,
(sa) sa_dest= 183.91.147.49, sa_proto= 50,
sa_spi= 0x4A3D005E(1245511774),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 42477
sa_lifetime(k/sec)= (0/110),
(identity) local= 183.91.147.49:0, remote= 218.247.143.199:0,
local_proxy= 10.122.104.113/255.255.255.255/47/0,
remote_proxy= 10.122.104.114/255.255.255.255/47/0
.Dec 26 2022 19:35:03.369 HKT: IPSEC(create_sa): sa created,
(sa) sa_dest= 218.247.143.199, sa_proto= 50,
sa_spi= 0xE5406878(3846203512),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 42478
sa_lifetime(k/sec)= (0/110),
(identity) local= 183.91.147.49:0, remote= 218.247.143.199:0,
local_proxy= 10.122.104.113/255.255.255.255/47/0,
remote_proxy= 10.122.104.114/255.255.255.255/47/0
.Dec 26 2022 19:35:03.371 HKT: IPSEC(update_current_outbound_sa): updated peer 218.247.143.199 current outbound sa to SPI E5406878
.Dec 26 2022 19:35:03.373 HKT: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
.Dec 26 2022 19:35:03.373 HKT: ISAKMP: (71062):Received IPSec Install callback... proceeding with the negotiation
.Dec 26 2022 19:35:03.373 HKT: ISAKMP: (71062):Successfully installed IPSEC SA (SPI:0x4A3D005E) on GigabitEthernet0/0/1.1300
.Dec 26 2022 19:35:03.373 HKT: ISAKMP-PAK: (71062):sending packet to 218.247.143.199 my_port 4500 peer_port 22243 (R) QM_IDLE
.Dec 26 2022 19:35:03.373 HKT: ISAKMP: (71062):Sending an IKE IPv4 Packet.
.Dec 26 2022 19:35:03.373 HKT: ISAKMP: (71062):deleting node 1635504746 error FALSE reason "No Error"
.Dec 26 2022 19:35:03.373 HKT: ISAKMP: (71062):Node 1635504746, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
.Dec 26 2022 19:35:03.373 HKT: ISAKMP: (71062):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_PHASE2_COMPLETE
.Dec 26 2022 19:35:43.949 HKT: IPSEC(delete_sa): SA found saving DEL kmi
.Dec 26 2022 19:36:23.308 HKT: IPSEC(lifetime_expiry): SA lifetime threshold reached, expiring in 30 seconds
.Dec 26 2022 19:36:23.308 HKT: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 183.91.147.49:4500, remote= 218.247.143.199:22243,
local_proxy= 10.122.104.113/255.255.255.255/47/0,
remote_proxy= 10.122.104.114/255.255.255.255/47/0,
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 28800s and 4294967295kb,
spi= 0x4A3D005E(1245511774), conn_id= 0, keysize= 0, flags= 0x0
.Dec 26 2022 19:36:53.308 HKT: IPSEC:(SESSION ID = 91993) (key_engine) request timer fired: count = 1,
(identity) local= 183.91.147.49:0, remote= 218.247.143.199:0,
local_proxy= 10.122.104.113/255.255.255.255/47/0,
remote_proxy= 10.122.104.114/255.255.255.255/47/0
.Dec 26 2022 19:36:53.308 HKT: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 183.91.147.49:4500, remote= 218.247.143.199:22243,
local_proxy= 10.122.104.113/255.255.255.255/47/0,
remote_proxy= 10.122.104.114/255.255.255.255/47/0,
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 28800s and 4294967295kb,
spi= 0x4A3D005E(1245511774), conn_id= 0, keysize= 0, flags= 0x0
.Dec 26 2022 19:37:04.159 HKT: IPSEC:(SESSION ID = 91993) (delete_sa) SA found saving DEL kmi
.Dec 26 2022 19:37:04.159 HKT: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_lista
.Dec 26 2022 19:37:40.691 HKT: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel155601, changed state to down
.Dec 26 2022 19:37:40.692 HKT: %BGP-5-NBR_RESET: Neighbor 10.122.103.114 reset (Interface flap)
.Dec 26 2022 19:37:40.708 HKT: %BGP-5-ADJCHANGE: neighbor 10.122.103.114 vpn vrf 315434320-E01 Down Interface flap
.Dec 26 2022 19:37:40.708 HKT: %BGP_SESSION-5-ADJCHANGE: neighbor 10.122.103.114 IPv4 Unicast vpn vrf 315434320-E01 topology base removed from session Interface flap

Labels:
2 Replies 2

MHM Cisco World
VIP
VIP

‎12-28-2022 03:17 AM

you run IKEv2 ?
If Yes then I see many many IT engineer face same issue I think I found solution but I need to lab to check if I success I will share here to make all know how to solve this issue. 
MHM 

0 Helpful

yangminbo
Level 1
Level 1
In response to MHM Cisco World

‎12-28-2022 03:35 AM

We look forward to your reply ,thanks

0 Helpful
Customers Also Viewed These Support Documents