Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1002
Views
0
Helpful
4
Replies
Cristian Nilsson
Beginner
Beginner
‎06-04-2019 01:50 AM
‎06-04-2019 01:50 AM

Need help troubleshooting IKEv2-IPSEC L2L Static-Dynamic between ASA

Hello,

 

We are having some issues with L2L VPN IKEv2 IPSEC between two ASAs (5510 and 5506).

 

ASA 5510 is static IP and 5506 dynamic IP.

 

After X time, tunnel goes down and we see in static (5510) side that a "Username unknown" is logged for IKEv2.
After Y time, the tunnel comes back up and logs show that a username now is used - no changes made!

 

Releases:
5510 asa917-32-k8.bin
5506 asa9-12-1-lfbff-k8.SPA

 

Configuration 5510:

 

crypto dynamic-map DM_NMC_AHUS-CAMPING 1 match address NMC_AHUS-CAMPING_CRYMAP
crypto dynamic-map DM_NMC_AHUS-CAMPING 1 set ikev2 ipsec-proposal AES256 AES AES192 DES 3DES
!
crypto map VPN 65500 ipsec-isakmp dynamic DM_NMC_AHUS-CAMPING
!
crypto map VPN interface outside
!
tunnel-group AHUS_CAMPING-TUNNLE-GROUP type ipsec-l2l
tunnel-group AHUS_CAMPING-TUNNLE-GROUP general-attributes
default-group-policy AHUS_CAMPING-GROUP-POLICY
tunnel-group AHUS_CAMPING-TUNNLE-GROUP ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
group-policy AHUS_CAMPING-GROUP-POLICY internal
group-policy AHUS_CAMPING-GROUP-POLICY attributes
vpn-tunnel-protocol ikev2 
!
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
!
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
!
crypto ikev2 enable outside client-services port 444

Configuration 5506:

 

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable OUTSIDE
!
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
!
crypto isakmp identity key-id AHUS_CAMPING-TUNNLE-GROUP
!
crypto ikev2 enable OUTSIDE
!
crypto map IPSEC-VPN 1 match address NMC_AHUS-CAMPING_CRYMAP
crypto map IPSEC-VPN 1 set pfs group5
crypto map IPSEC-VPN 1 set peer x.x.x.x
crypto map IPSEC-VPN 1 set ikev2 ipsec-proposal AES256
crypto map IPSEC-VPN interface OUTSIDE
!
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
default-group-policy AHUS_CAMPING-GROUP-POLICY
tunnel-group x.x.x.x ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
group-policy AHUS_CAMPING-GROUP-POLICY internal
group-policy AHUS_CAMPING-GROUP-POLICY attributes
vpn-tunnel-protocol ikev2

Anybody else had this problem?...

//Cristian

Labels:
1 person had this problem
0 Helpful
1 ACCEPTED SOLUTION

Accepted Solutions
Cristian Nilsson
Beginner
Beginner
In response to Cristian Nilsson
‎10-22-2019 04:07 AM
‎10-22-2019 04:07 AM

Update to this if anyone experience the same problems.

 

The fault is shown no to be a configuration or ASA related at all.

 

The ISP for "Branch site" has dual devices with a 3G backup.

When traffic changes to 3G for whatever reason and then changes back to cable/fiber provider 3G router keeps some sort of nat cache and is causing this problem. When ISP clears nat in 3G router it starts working again.

 

//CN

View solution in original post

0 Helpful
4 REPLIES 4
Pablo
Cisco Employee
Cisco Employee
‎06-04-2019 06:46 PM
‎06-04-2019 06:46 PM

Looks like PFS is missing from the 5510 dynamic map:

crypto dynamic-map DM_NMC_AHUS-CAMPING 1 set pfs group5

Configure the line above, if the problem persists, enable a conditional IKEv2 debug [platform|protocol] for the peer in question.

HTH

0 Helpful
Cristian Nilsson
Beginner
Beginner
In response to Pablo
‎06-05-2019 12:22 AM
‎06-05-2019 12:22 AM

Hello and thank you for reply.

 

I have added the suggested line and will monitor and get back to you if problem reoccur.

 

//Cristian

0 Helpful
Cristian Nilsson
Beginner
Beginner
In response to Pablo
‎06-05-2019 06:25 AM
‎06-05-2019 06:25 AM

Ok so the tunnel went down again with same error.

 

For reference: x.x.x.x is remote site y.y.y.y is local site (static ip).

 

From ASDM Debugging log:

Local:y.y.y.y:500 Remote:x.x.x.x:512 Username:Unknown IKEv2 Negotiation aborted due to ERROR: Failed to receive the AUTH msg before the timer expired

Logging for IKEv2 is attached.

 

debug crypto ipsec enabled at level 255
debug crypto ikev2 protocol enabled at level 255
debug crypto ikev2 platform enabled at level 255
debug crypto ikev2 ha enabled at level 255

 

I have no idea what to do here...

 

//Cristian

 

 

Preview file
49 KB
0 Helpful
Cristian Nilsson
Beginner
Beginner
In response to Cristian Nilsson
‎10-22-2019 04:07 AM
‎10-22-2019 04:07 AM

Update to this if anyone experience the same problems.

 

The fault is shown no to be a configuration or ASA related at all.

 

The ISP for "Branch site" has dual devices with a 3G backup.

When traffic changes to 3G for whatever reason and then changes back to cable/fiber provider 3G router keeps some sort of nat cache and is causing this problem. When ISP clears nat in 3G router it starts working again.

 

//CN

View solution in original post

0 Helpful
Latest Contents
ISE as RADIUS server for Password + Smart Card Authenticatio...
Created by deepuvarghese1 on 04-17-2021 06:22 AM
0
0
0
0
The purpose of this document is to demonstrate how ISE authenticate / authorize a user that uses a smart card (PIN + Certificate) and password mechanism to login their system. This document describes the components used for this setup, configuration of IS... view more
Email Security - QuoVadis Root Certificate Decommission Migh...
Created by dmccabej on 03-30-2021 09:32 AM
0
0
0
0
Problem Description For all versions of the Email Security Appliance (ESA) and Security Management Appliance (SMA), some Secure Sockets Link (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before 2021-03-31 cannot b... view more
ISE REST APIs Webinar: April 6/7, 2021
Created by thomas on 03-25-2021 07:57 PM
1
5
1
5
  Register Now Automation and programmability for networking and security are increasingly important topics. Every release since ISE 1.2 has included new REST API capabilities to better automate and integrate ISE with the rest of your network, appli... view more
FMT 2.3.4 adding ASA migrations of S2S VPN in public beta
Created by William_Hansch on 03-22-2021 08:00 AM
1
10
1
10
The latest iteration (v2.3.4) of the Cisco Secure Firewall Migration Tool adds public beta support for S2S VPN migrations from ASA: Policy-based (crypto map) Pre-Shared key authentication type VPN configuration to Firepower Management Center VP... view more
What's New for Cisco Defense Orchestrator (CDO)
Created by Andrew Mallio on 03-22-2021 04:40 AM
1
40
1
40
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.  We make improvement... view more
Content for Community-Ad