Problem with IKE Phase 2

diondohmen · ‎07-26-2011

Hi there,

I have set up a IPsec L2L VPN between a ASA5510 and a ASA5505 which is working just fine.

Every now and then our management station receives the following syslog message:

Session disconnected. Session Type: IPsec, Duration: 2h:23m:23s, Bytes xmt: 3283338, Bytes rcv: 8637607, Reason: Phase 2 Error

I have already searched the forum for this message to exclude all the possible reasons for this message:

- the complete crypto maps are the same on both ends (lifetime, psk, pfs etc)

- the ACL's used in the crypto maps are exactly the opposite of each other

9 IKE Peer: xxx-xxx

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

Encrypt : aes-256 Hash : SHA

Auth : preshared Lifetime: 28800

1 IKE Peer: yyy-yyy

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

Encrypt : aes-256 Hash : SHA

Auth : preshared Lifetime: 28800

Does anybody knows why this error occurs?

As you can see the tunnel has been up and running for almost 2,5 hours.

Thanks in advance

Richard Burts · ‎07-26-2011

Frequently the reason for session disconnect is that there has been packet loss or some temporary loss of connectivity at one of the peers.

My suggestion would be to check in the logs of both ASAs around the time that this syslog was generated and see if there are any other log messages on the ASA that might shed light on what was happening.

HTH

Rick

HTH

Rick

Pavel Pokorny · ‎07-27-2011

Hi,

Two questions:

- is the time for shutdown always the same (mean duration)?

- is there any utilization of your line?