06-04-2019 01:50 AM - edited 02-21-2020 09:39 PM
Hello,
We are having some issues with L2L VPN IKEv2 IPSEC between two ASAs (5510 and 5506).
ASA 5510 is static IP and 5506 dynamic IP.
After X time, tunnel goes down and we see in static (5510) side that a "Username unknown" is logged for IKEv2.
After Y time, the tunnel comes back up and logs show that a username now is used - no changes made!
Releases:
5510 asa917-32-k8.bin
5506 asa9-12-1-lfbff-k8.SPA
Configuration 5510:
crypto dynamic-map DM_NMC_AHUS-CAMPING 1 match address NMC_AHUS-CAMPING_CRYMAP crypto dynamic-map DM_NMC_AHUS-CAMPING 1 set ikev2 ipsec-proposal AES256 AES AES192 DES 3DES ! crypto map VPN 65500 ipsec-isakmp dynamic DM_NMC_AHUS-CAMPING ! crypto map VPN interface outside ! tunnel-group AHUS_CAMPING-TUNNLE-GROUP type ipsec-l2l tunnel-group AHUS_CAMPING-TUNNLE-GROUP general-attributes default-group-policy AHUS_CAMPING-GROUP-POLICY tunnel-group AHUS_CAMPING-TUNNLE-GROUP ipsec-attributes ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** ! group-policy AHUS_CAMPING-GROUP-POLICY internal group-policy AHUS_CAMPING-GROUP-POLICY attributes vpn-tunnel-protocol ikev2 ! crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 ! crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 ! crypto ikev2 enable outside client-services port 444
Configuration 5506:
crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable OUTSIDE ! crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 ! crypto isakmp identity key-id AHUS_CAMPING-TUNNLE-GROUP ! crypto ikev2 enable OUTSIDE ! crypto map IPSEC-VPN 1 match address NMC_AHUS-CAMPING_CRYMAP crypto map IPSEC-VPN 1 set pfs group5 crypto map IPSEC-VPN 1 set peer x.x.x.x crypto map IPSEC-VPN 1 set ikev2 ipsec-proposal AES256 crypto map IPSEC-VPN interface OUTSIDE ! tunnel-group x.x.x.x type ipsec-l2l tunnel-group x.x.x.x general-attributes default-group-policy AHUS_CAMPING-GROUP-POLICY tunnel-group x.x.x.x ipsec-attributes ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** ! group-policy AHUS_CAMPING-GROUP-POLICY internal group-policy AHUS_CAMPING-GROUP-POLICY attributes vpn-tunnel-protocol ikev2
Anybody else had this problem?...
//Cristian
Solved! Go to Solution.
10-22-2019 04:07 AM
Update to this if anyone experience the same problems.
The fault is shown no to be a configuration or ASA related at all.
The ISP for "Branch site" has dual devices with a 3G backup.
When traffic changes to 3G for whatever reason and then changes back to cable/fiber provider 3G router keeps some sort of nat cache and is causing this problem. When ISP clears nat in 3G router it starts working again.
//CN
06-04-2019 06:46 PM - edited 06-04-2019 07:46 PM
Looks like PFS is missing from the 5510 dynamic map:
crypto dynamic-map DM_NMC_AHUS-CAMPING 1 set pfs group5
Configure the line above, if the problem persists, enable a conditional IKEv2 debug [platform|protocol] for the peer in question.
HTH
06-05-2019 12:22 AM
Hello and thank you for reply.
I have added the suggested line and will monitor and get back to you if problem reoccur.
//Cristian
06-05-2019 06:25 AM
Ok so the tunnel went down again with same error.
For reference: x.x.x.x is remote site y.y.y.y is local site (static ip).
From ASDM Debugging log:
Local:y.y.y.y:500 Remote:x.x.x.x:512 Username:Unknown IKEv2 Negotiation aborted due to ERROR: Failed to receive the AUTH msg before the timer expired
Logging for IKEv2 is attached.
debug crypto ipsec enabled at level 255
debug crypto ikev2 protocol enabled at level 255
debug crypto ikev2 platform enabled at level 255
debug crypto ikev2 ha enabled at level 255
I have no idea what to do here...
//Cristian
10-22-2019 04:07 AM
Update to this if anyone experience the same problems.
The fault is shown no to be a configuration or ASA related at all.
The ISP for "Branch site" has dual devices with a 3G backup.
When traffic changes to 3G for whatever reason and then changes back to cable/fiber provider 3G router keeps some sort of nat cache and is causing this problem. When ISP clears nat in 3G router it starts working again.
//CN
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide