Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
901
Views
0
Helpful
5
Replies

One L2L IKEv2 Tunnel consuming all licenses on ASA5506x

S Kumar
Level 1
Level 1

‎04-07-2022 10:21 AM

Hello,

 

We are using ASA5506-X (9.9.2). We have few policy based IKEv1 tunnels and one route based IKEv2 tunnel.

 

I received a call this morning that L2L VPN tunnel with one of our customer is down. I looked at the debug and found following entry in the log. We reached to the limit of 50 tunnels. "show crypto isa sa" showed only three tunnels connected. 2 IKEv1 tunnels and one IKEv2. But IKEv2 tunnel has 48 IPSEC sessions going on. I tried commands to clear the IPSEC sessions but it did not help. These commands only dropped one session.

clear cry ipsec sa peer X.X.X.X
clear crypto ikev2 sa X.X.X.X

 

Can anyone help to understand what is going on?

 

 

Apr 07 18:39:51 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Tunnel Rejected: The maximum tunnel count allowed has been reached

 

 

# show vpn-sessiondb 
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
                               Active : Cumulative : Peak Concur : Inactive
                             ----------------------------------------------
Site-to-Site VPN             :     50 :     178241 :          50
  IKEv2 IPsec                :     48 :     176163 :          48
  IKEv1 IPsec                :      2 :       2078 :           3
---------------------------------------------------------------------------
Total Active and Inactive    :     50             Total Cumulative : 178241
Device Total VPN Capacity    :     50
Device Load                  :   100%
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Tunnels Summary
---------------------------------------------------------------------------
                               Active : Cumulative : Peak Concurrent   
                             ----------------------------------------------
IKEv1                        :      2 :       2078 :               3
IKEv2                        :     48 :     176163 :              48
IPsec                        :      3 :     166747 :               5
---------------------------------------------------------------------------
Totals                       :     53 :     344988
---------------------------------------------------------------------------
# show vpn-sessiondb det l2l filter protocol ikev2

Session Type: LAN-to-LAN Detailed

Connection   : X.X.X.X
Index        : 341968                 IP Addr      : X.X.X.X
Protocol     : IKEv2
Encryption   : IKEv2: (1)AES256       Hashing      : IKEv2: (1)SHA256
Bytes Tx     : 0                      Bytes Rx     : 0
Login Time   : 22:42:55 IST Fri Apr 1 2022
Duration     : 5d 23h:49m:04s

IKEv2 Tunnels: 1

IKEv2:
  Tunnel ID    : 341968.1
  UDP Src Port : 500                    UDP Dst Port : 500
  Rem Auth Mode: preSharedKeys
  Loc Auth Mode: preSharedKeys
  Encryption   : AES256                 Hashing      : SHA256
  Rekey Int (T): 3600 Seconds           Rekey Left(T): 0 Seconds
  PRF          : SHA256                 D/H Group    : 2
  Filter Name  : vpn_filter

 

 

 

 

 

 

 

Labels:
0 Helpful
5 Replies 5

S Kumar
Level 1
Level 1

‎12-14-2022 09:57 AM

I am facing the same issue. Did you find any solution?

 

 

0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎12-15-2022 06:33 AM

Cisco ASA5506 has limitation of 50 VPN tunnels. Based on initial outputs, there are already 50 tunnels established - 48 IKEv2 and 2 IKEv1. You have reached HW capacity of your device.

Kind regards,

Milos

0 Helpful

S Kumar
Level 1
Level 1
In response to Milos_Jovanovic

‎12-15-2022 07:08 PM

Hi Milos,

I understand that ASA5506 has limit of 50 but there are only 2 tunnels, 2 IKEv1 and 2 IKEV2 tunnels. I am not sure why ASA is thinking that it has 48 IKEV2 tunnels going on?

ASA5506## show cry ikev1 sa

IKEv1 SAs:

Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1 IKE Peer: X.X.X.X
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: Y.Y.Y.Y
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE


ASA5506## show cry ikev2 sa

IKEv2 SAs:

Session-id:137, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status Role
1174336559 A.A.A.A/500 B.B.B.B/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/56802 sec
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 0.0.0.0/0 - 255.255.255.255/65535
ESP spi in/out: 0xfcede79/0xf30c85e2

IKEv2 SAs:

Session-id:159, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status Role
768911101 A.A.A.A/500 C.C.C.C/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 3600/47 sec
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 0.0.0.0/0 - 255.255.255.255/65535
ESP spi in/out: 0x5fe131ec/0x934763b4


ASA5506## show vpn-sessiondb
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concur : Inactive
----------------------------------------------
Site-to-Site VPN : 50 : 281 : 50
IKEv2 IPsec : 48 : 159 : 48
IKEv1 IPsec : 2 : 122 : 2
---------------------------------------------------------------------------
Total Active and Inactive : 50 Total Cumulative : 281
Device Total VPN Capacity : 50
Device Load : 100%
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Tunnels Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concurrent
----------------------------------------------
IKEv1 : 2 : 122 : 2
IKEv2 : 48 : 159 : 48
IPsec : 4 : 343 : 5
---------------------------------------------------------------------------
Totals : 54 : 624
---------------------------------------------------------------------------

 

 

0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to S Kumar

‎12-15-2022 11:15 PM

If that is the case, then I would recommend to proceed with ASA upgrade, as you are almost certainly hitting some bug.

Version 9.9 is at end of its life, so you should upgrade at minimum to latest 9.12 Interim release, ideally to recommended v9.16 (just be aware that on v9.16 some crypto algorithms are deprecated).

Kind regards,

Milos

0 Helpful

S Kumar
Level 1
Level 1
In response to Milos_Jovanovic

‎12-16-2022 01:42 PM

Milos,

Appreciate your response.

I am stuck at 9.9 because of firepower module. I have opened service request with CISCO tech support and hoping for a resolution.

I will post back the feedback from cisco tech support.

0 Helpful
Customers Also Viewed These Support Documents