Solved: Re: Need help troubleshooting IKEv2-IPSEC L2L Static-Dynamic between ASA

Cristian Nilsson · ‎06-04-2019

Hello,

We are having some issues with L2L VPN IKEv2 IPSEC between two ASAs (5510 and 5506).

ASA 5510 is static IP and 5506 dynamic IP.

After X time, tunnel goes down and we see in static (5510) side that a "Username unknown" is logged for IKEv2.
After Y time, the tunnel comes back up and logs show that a username now is used - no changes made!

Releases:
5510 asa917-32-k8.bin
5506 asa9-12-1-lfbff-k8.SPA

Configuration 5510:

crypto dynamic-map DM_NMC_AHUS-CAMPING 1 match address NMC_AHUS-CAMPING_CRYMAP
crypto dynamic-map DM_NMC_AHUS-CAMPING 1 set ikev2 ipsec-proposal AES256 AES AES192 DES 3DES
!
crypto map VPN 65500 ipsec-isakmp dynamic DM_NMC_AHUS-CAMPING
!
crypto map VPN interface outside
!
tunnel-group AHUS_CAMPING-TUNNLE-GROUP type ipsec-l2l
tunnel-group AHUS_CAMPING-TUNNLE-GROUP general-attributes
default-group-policy AHUS_CAMPING-GROUP-POLICY
tunnel-group AHUS_CAMPING-TUNNLE-GROUP ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
group-policy AHUS_CAMPING-GROUP-POLICY internal
group-policy AHUS_CAMPING-GROUP-POLICY attributes
vpn-tunnel-protocol ikev2 
!
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
!
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
!
crypto ikev2 enable outside client-services port 444

Configuration 5506:

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable OUTSIDE
!
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
!
crypto isakmp identity key-id AHUS_CAMPING-TUNNLE-GROUP
!
crypto ikev2 enable OUTSIDE
!
crypto map IPSEC-VPN 1 match address NMC_AHUS-CAMPING_CRYMAP
crypto map IPSEC-VPN 1 set pfs group5
crypto map IPSEC-VPN 1 set peer x.x.x.x
crypto map IPSEC-VPN 1 set ikev2 ipsec-proposal AES256
crypto map IPSEC-VPN interface OUTSIDE
!
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
default-group-policy AHUS_CAMPING-GROUP-POLICY
tunnel-group x.x.x.x ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
group-policy AHUS_CAMPING-GROUP-POLICY internal
group-policy AHUS_CAMPING-GROUP-POLICY attributes
vpn-tunnel-protocol ikev2

Anybody else had this problem?...

//Cristian

Cristian Nilsson · ‎10-22-2019

Update to this if anyone experience the same problems.

The fault is shown no to be a configuration or ASA related at all.

The ISP for "Branch site" has dual devices with a 3G backup.

When traffic changes to 3G for whatever reason and then changes back to cable/fiber provider 3G router keeps some sort of nat cache and is causing this problem. When ISP clears nat in 3G router it starts working again.

//CN

View solution in original post

Pablo · ‎06-04-2019

Looks like PFS is missing from the 5510 dynamic map:

crypto dynamic-map DM_NMC_AHUS-CAMPING 1 set pfs group5

Configure the line above, if the problem persists, enable a conditional IKEv2 debug [platform|protocol] for the peer in question.

HTH

Cristian Nilsson · ‎06-05-2019

Hello and thank you for reply.

I have added the suggested line and will monitor and get back to you if problem reoccur.

//Cristian

Cristian Nilsson · ‎06-05-2019

Ok so the tunnel went down again with same error.

For reference: x.x.x.x is remote site y.y.y.y is local site (static ip).

From ASDM Debugging log:

Local:y.y.y.y:500 Remote:x.x.x.x:512 Username:Unknown IKEv2 Negotiation aborted due to ERROR: Failed to receive the AUTH msg before the timer expired

Logging for IKEv2 is attached.

debug crypto ipsec enabled at level 255
debug crypto ikev2 protocol enabled at level 255
debug crypto ikev2 platform enabled at level 255
debug crypto ikev2 ha enabled at level 255

I have no idea what to do here...

//Cristian

Cristian Nilsson · ‎10-22-2019

Update to this if anyone experience the same problems.

The fault is shown no to be a configuration or ASA related at all.

The ISP for "Branch site" has dual devices with a 3G backup.

When traffic changes to 3G for whatever reason and then changes back to cable/fiber provider 3G router keeps some sort of nat cache and is causing this problem. When ISP clears nat in 3G router it starts working again.

//CN