S2S VPN going down then reconnects every 10 minutes

erikorrsjo · ‎05-04-2021

I have a site to site VPN using IKEv2 between an ASA 5506 (running 9.12.4) and an ASA 5516 (running 9.14.5). Authentication through PSK. (Same key for local/remote and static crypto map entry).

Every 10 minutes or so the VPN goes down, I get some authentication failures and eventuelly it comes up again.

See attahced log.

There you can see that first there are five failed to autheticates, for example:

Use preshared key for id 146.66.235.103, key len 20
IKEv2-PROTO-7: (624): Computed authentication value for peer differs from what peer sent
IKEv2-PROTO-2: (624): Failed to authenticate the IKE SA

Then one successful:

IKEv2-PROTO-4: (721): Verify peer's authentication data
IKEv2-PROTO-4: (721): Use preshared key for id 146.66.235.103, key len 20
IKEv2-PROTO-4: (721): Verification of peer's authenctication data PASSED

then one failed again.

And then the tunnel is up.

I have verified that the PSK är ok, and also if they were not ok the VPN would never get up at all.

Anyone have any idea on what is wrong? Have I interpreted the logs correctly? What could "Computed authentication value" mean more that thr PSK?

Rob Ingram · ‎05-04-2021

Hi @erikorrsjo

It sounds like the IKE messages are out of sync.

Is DPD configured on both ASA?

Have you determined why the VPN drops, do you have intermittent internet connection issues?

Can you provide the configuration of both ASA

Can you enable ike/ipsec debug on both ASA when the VPN is up and then provide the output from both once the VPN tunnel has dropped.

Sheraz.Salim · ‎05-04-2021

The Below SPI value are for the working VPN-TUNNEL (from the logs you provided) you see the working one use the PSK and using the FQDN "SEGB-FW001.cactustrail.local". by default PSK the presentation of the identity is the peer ip address. in your case its the FQDN. we dont have your configuration. either you use the FQDN on the other side of the firewall or change the order.

could you show the output of the below command

show crypto isakmp sa detail | b 146.66.235.103

Completed SA init exchange
IKEv2-PROTO-7: (721): SM Trace-> SA: I_SPI=18B9A11BD3FCEB0B R_SPI=ED395B048278D0A0 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-7: (721): SM Trace-> SA: I_SPI=18B9A11BD3FCEB0B R_SPI=ED395B048278D0A0 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (721): SM Trace-> SA: I_SPI=18B9A11BD3FCEB0B R_SPI=ED395B048278D0A0 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-4: (721): Check for EAP exchange
IKEv2-PROTO-7: (721): SM Trace-> SA: I_SPI=18B9A11BD3FCEB0B R_SPI=ED395B048278D0A0 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GEN_AUTH
IKEv2-PROTO-4: (721): Generate my authentication data
IKEv2-PROTO-4: (721): Use preshared key for id SEGB-FW001.cactusrail.local, key len 20
IKEv2-PROTO-7: (721): SM Trace-> SA: I_SPI=18B9A11BD3FCEB0B R_SPI=ED395B048278D0A0 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-4: (721): Get my authentication method
IKEv2-PROTO-4: (721): My authentication method is 'PSK'
IKEv2-PROTO-7: (721): SM Trace-> SA: I_SPI=18B9A11BD3FCEB0B R_SPI=ED395B048278D0A0 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2-PROTO-4: (721): Check for EAP exchange
IKEv2-PROTO-7: (721): SM Trace-> SA: I_SPI=18B9A11BD3FCEB0B R_SPI=ED395B048278D0A0 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SEND_AUTH
IKEv2-PROTO-4: (721): Generating IKE_AUTH message
IKEv2-PROTO-4: (721): Constructing IDi payload: 'SEGB-FW001.cactusrail.local' of type 'FQDN'
IKEv2-PROTO-4: (721): ESP Proposal: 1, SPI size: 4 (IPSec negotiation),

please do not forget to rate.

erikorrsjo · ‎05-04-2021

Result of the command: "show crypto isakmp sa detail | b 146.66.235.103"

271542171 195.22.66.26/500 146.66.235.103/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/17532 sec
Session-id: 2578
Status Description: Negotiation done
Local spi: 833B219A6FA23117 Remote spi: 7638B47A2A88A2EB
Local id: SEGB-FW001.cactusrail.local
Remote id: 146.66.235.103
Local req mess id: 1 Remote req mess id: 4
Local next mess id: 1 Remote next mess id: 4
Local req queued: 1 Remote req queued: 4
Local window: 1 Remote window: 1
DPD configured for 10 seconds, retry 2
NAT-T is not detected
IKEv2 Fragmentation Configured MTU: 576 bytes, Overhead: 28 bytes, Effective MTU: 548 bytes
Parent SA Extended Status:
Delete in progress: FALSE
Marked for delete: FALSE
Child sa: local selector 195.22.76.128/0 - 195.22.76.255/65535
remote selector 10.30.0.0/0 - 10.30.3.255/65535
ESP spi in/out: 0xb35536e7/0xa63870a8
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA256
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
Child sa: local selector 192.168.171.0/0 - 192.168.171.255/65535
remote selector 10.30.0.0/0 - 10.30.3.255/65535
ESP spi in/out: 0xf606673f/0xe371741e
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA256
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
Child sa: local selector 10.10.51.0/0 - 10.10.51.255/65535
remote selector 10.30.0.0/0 - 10.30.3.255/65535
ESP spi in/out: 0x88c5b172/0x66cf7954
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA256
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
Child sa: local selector 10.10.70.0/0 - 10.10.70.255/65535
remote selector 10.30.0.0/0 - 10.30.3.255/65535
ESP spi in/out: 0x36133b48/0xf2bbed5a
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA256
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel

Also, I set up ping through the tunnel from a host and that seemed to have made it better (5 hours uptime now).

I don't know why it would pick the hostname of the firewall including domain suffix. The VPN is set up using IP-adress.

I can't really publish the entire fw config on a public internet forum. But this is the config of the parts related to the tunnel config:

FW site 1:

crypto map VPN_UTILITIES_MAP 150 match address internet_cryptomap_5
crypto map VPN_UTILITIES_MAP 150 set pfs
crypto map VPN_UTILITIES_MAP 150 set peer 146.66.235.103
crypto map VPN_UTILITIES_MAP 150 set ikev2 ipsec-proposal aes256-sha256
crypto map VPN_UTILITIES_MAP 150 set ikev2 pre-shared-key *****

tunnel-group 146.66.235.103 type ipsec-l2l
tunnel-group 146.66.235.103 general-attributes
default-group-policy gp-vpn-jk-gbg
tunnel-group 146.66.235.103 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

FW site 2:

crypto map outside_map 1 match address outside_cryptomap_3
crypto map outside_map 1 set pfs group14
crypto map outside_map 1 set peer 195.22.66.26
crypto map outside_map 1 set ikev2 ipsec-proposal AES-SHA-256
crypto map outside_map 1 set ikev2 pre-shared-key *****

tunnel-group 195.22.66.26 type ipsec-l2l
tunnel-group 195.22.66.26 general-attributes
default-group-policy GroupPolicy_195.22.66.26
tunnel-group 195.22.66.26 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

Sheraz.Salim · ‎05-05-2021

yep this is what i was excepting.

"show crypto isakmp sa detail | b 146.66.235.103"

271542171 195.22.66.26/500 146.66.235.103/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/17532 sec
Session-id: 2578
Status Description: Negotiation done
Local spi: 833B219A6FA23117 Remote spi: 7638B47A2A88A2EB
Local id: SEGB-FW001.cactusrail.local
Remote id: 146.66.235.103

could you double check if you have this command enable on your ASA.

crypto isakmp identity hostname

if so could you change this to

crypto isakmp identity auto

please do not forget to rate.

erikorrsjo · ‎05-05-2021

Yes you were right

crypto isakmp identity hostname

was set, I changed it as you said. Awaiting if this will change the behaviour.

Btw, you know if this is possible to set in ASDM anywhere? I don't ever remeber changing this before.

Sheraz.Salim · ‎05-05-2021

please do not forget to rate.

erikorrsjo · ‎05-05-2021

It helped somewhat setting identity to auto. It did change peer from FQDN to IP-address, and I did not receive any pre-shared key authentication failures anymore. The tunnel still goes down every 10-15 minutes, however, the down-time is much shorter now so it seems it might not affect the communication enough to cause big issues. That still remains to be seen though.

Also whenever the tunnel goes down, I still get the following syslog messages:

5

May 05 2021

22:41:11

750007

Local:146.66.235.103:500 Remote:195.22.66.26:500 Username:195.22.66.26 IKEv2 SA DOWN. Reason: peer lost

and

4

May 05 2021

22:55:04

750014

Local:195.22.66.26:500 Remote:146.66.235.103:500 Username:146.66.235.103 IKEv2 Session Aborted. Reason: Initial contact received for Local ID: 195.22.66.26, Remote ID: 146.66.235.103 from remote peer: 146.66.235.103:500 to 195.22.66.26:500

This occures much less frequent if I have a ping running through the tunnel. I have other tunnels from the same ASA:s that runs much more stable.

So something is still a bit fishy.

Logs are attached

Sheraz.Salim · ‎05-05-2021

could you share the firewall vpn configuration of these two vpns

please do not forget to rate.

erikorrsjo · ‎05-05-2021

Here you go:

FW1 (146....)

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES-SHA-256
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap_3
crypto map outside_map 1 set pfs group14
crypto map outside_map 1 set peer 195.22.66.26
crypto map outside_map 1 set ikev2 ipsec-proposal AES-SHA-256
crypto map outside_map 1 set ikev2 pre-shared-key *****
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set pfs group5
crypto map outside_map 2 set peer 89.160.107.20
crypto map outside_map 2 set ikev1 transform-set ESP-DES-MD5 ESP-DES-SHA ESP-3DES-SHA ESP-3DES-MD5
crypto map outside_map 2 set ikev2 ipsec-proposal AES256 AES-SHA-256
crypto map outside_map 2 set ikev2 pre-shared-key *****
crypto map outside_map 3 match address outside_cryptomap_4
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 83.233.155.226
crypto map outside_map 3 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES AES-SHA-256
crypto map outside_map interface outside
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=146.66.235.103,CN=ciscoasajkp
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_1
enrollment self
fqdn none
subject-name CN=146.66.235.103,CN=ciscoasajkp
crl configure
crypto ca trustpool policy
crypto ikev2 policy 2
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400
crypto ikev2 policy 3
encryption aes-256
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 policy 4
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption des
hash sha
group 5
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400

....

group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
group-policy GroupPolicy_89.160.107.18 internal
group-policy GroupPolicy_89.160.107.18 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_195.22.66.26 internal
group-policy GroupPolicy_195.22.66.26 attributes
vpn-filter value filter-jkp-gb
vpn-tunnel-protocol ikev2
group-policy GroupPolicy_83.233.155.226 internal
group-policy GroupPolicy_83.233.155.226 attributes
vpn-tunnel-protocol ikev2
dynamic-access-policy-record DfltAccessPolicy
username admin password ***** pbkdf2 privilege 15
username erik password ***** pbkdf2 privilege 15
tunnel-group 195.22.66.26 type ipsec-l2l
tunnel-group 195.22.66.26 general-attributes
default-group-policy GroupPolicy_195.22.66.26
tunnel-group 195.22.66.26 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 89.160.107.18 type ipsec-l2l
tunnel-group 89.160.107.18 general-attributes
default-group-policy GroupPolicy_89.160.107.18
tunnel-group 89.160.107.18 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 83.233.155.226 type ipsec-l2l
tunnel-group 83.233.155.226 general-attributes
default-group-policy GroupPolicy_83.233.155.226
tunnel-group 83.233.155.226 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 89.160.107.20 type ipsec-l2l
tunnel-group 89.160.107.20 general-attributes
default-group-policy GroupPolicy_89.160.107.18
tunnel-group 89.160.107.20 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

FW2: (195...)

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal aes256-sha1
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal aes256-sha256
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec ikev2 ipsec-proposal aes256-md5
protocol esp encryption aes-256
protocol esp integrity md5
crypto ipsec security-association replay window-size 1024
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map internet_dyn_map 2 set pfs
crypto dynamic-map internet_dyn_map 2 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 match address internet_cryptomap_65535.1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set ikev1 transform-set ESP-AES-256-MD5 ESP-AES-256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 2 match address internet_cryptomap_65535.2_1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 2 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 2 set ikev1 transform-set ESP-AES-256-MD5
crypto map *** [various other crypto maps for other VPN:s)
crypto map VPN_UTILITIES_MAP 150 match address internet_cryptomap_5
crypto map VPN_UTILITIES_MAP 150 set pfs
crypto map VPN_UTILITIES_MAP 150 set peer 146.66.235.103
crypto map VPN_UTILITIES_MAP 150 set ikev2 ipsec-proposal aes256-sha256
crypto map VPN_UTILITIES_MAP 150 set ikev2 pre-shared-key *****
crypto map VPN_UTILITIES_MAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map VPN_UTILITIES_MAP interface cu-vpn
....

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 3600
crypto ikev2 policy 2
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400
crypto ikev2 policy 3
encryption aes-256
integrity md5
group 14
prf md5
lifetime seconds 86400
crypto ikev2 policy 4
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime seconds 86400
crypto ikev2 enable cu-vpn
crypto ikev2 enable internet
crypto ikev2 enable cr-vpn
crypto ikev1 enable cu-vpn
crypto ikev1 enable internet
crypto ikev1 enable cr-vpn
crypto ikev1 policy 1
authentication pre-share
encryption aes-192
hash sha
group 5
lifetime 86400
crypto ikev1 policy 2
authentication pre-share
encryption aes-256
hash md5
group 5
lifetime 86400
crypto ikev1 policy 15
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 3600
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 95
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 3600
crypto ikev1 policy 103
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto ikev1 policy 104
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 106
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 107
authentication pre-share
encryption aes-256
hash md5
group 5
lifetime 14400
crypto ikev1 policy 108
authentication pre-share
encryption aes
hash md5
group 2
lifetime 28800
crypto ikev1 policy 109
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto ikev1 policy 110
authentication pre-share
encryption 3des
hash md5
group 5
lifetime 28800

....

group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless

....

group-policy gp-vpn-jk-gbg internal
group-policy gp-vpn-jk-gbg attributes
vpn-filter value jkp-gbg
vpn-tunnel-protocol ikev2

....

tunnel-group 146.66.235.103 type ipsec-l2l
tunnel-group 146.66.235.103 general-attributes
default-group-policy gp-vpn-jk-gbg
tunnel-group 146.66.235.103 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

Sheraz.Salim · ‎05-05-2021

could you make sure the pfs values are configured both side accordingly as group14.

also could you please share the access-list internet_cryptomap_5 and outside_cryptomap_3

show access-list internet_cryptomap_5

show access-list outside_cryptomap_3

also could you please show the nat statement of these above vpns.

once you make the pfs group14 on both end see how the tunnel behaves.

FW195
!
crypto map VPN_UTILITIES_MAP 150 match address internet_cryptomap_5
crypto map VPN_UTILITIES_MAP 150 set pfs
crypto map VPN_UTILITIES_MAP 150 set peer 146.66.235.103
crypto map VPN_UTILITIES_MAP 150 set ikev2 ipsec-proposal aes256-sha256
crypto map VPN_UTILITIES_MAP 150 set ikev2 pre-shared-key *****
!
tunnel-group 146.66.235.103 type ipsec-l2l
tunnel-group 146.66.235.103 general-attributes
default-group-policy gp-vpn-jk-gbg
tunnel-group 146.66.235.103 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
================================================
FW-146
!
crypto map outside_map 1 match address outside_cryptomap_3
crypto map outside_map 1 set pfs group14
crypto map outside_map 1 set peer 195.22.66.26
crypto map outside_map 1 set ikev2 ipsec-proposal AES-SHA-256
crypto map outside_map 1 set ikev2 pre-shared-key *****
!
tunnel-group 195.22.66.26 type ipsec-l2l
tunnel-group 195.22.66.26 general-attributes
default-group-policy GroupPolicy_195.22.66.26
tunnel-group 195.22.66.26 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

please do not forget to rate.

erikorrsjo · ‎05-06-2021

Even if I do the
crypto map outside_map 1 set pfs group14
command, it still only shows the same as before. In the GUI it has always shown group14. Perhaps it is the default value? Anyway, changing that did not do any difference. (And I suppose it would not have worked at all if it was set up wrong?)

Result of the command: "show access-list internet_cryptomap_5"

access-list internet_cryptomap_5; 8 elements; name hash: 0x5b01d13b
access-list internet_cryptomap_5 line 1 extended permit ip object-group grp_TUNNELED_NETWORKS_JK object net-jkp-all (hitcnt=3776) 0xcf804c3a
access-list internet_cryptomap_5 line 1 extended permit ip 10.10.51.0 255.255.255.0 10.30.0.0 255.255.252.0 (hitcnt=3209) 0x9985835f
access-list internet_cryptomap_5 line 1 extended permit ip 10.10.52.0 255.255.255.0 10.30.0.0 255.255.252.0 (hitcnt=0) 0x679d9b5b
access-list internet_cryptomap_5 line 1 extended permit ip 195.22.76.128 255.255.255.128 10.30.0.0 255.255.252.0 (hitcnt=91) 0x60625c28
access-list internet_cryptomap_5 line 1 extended permit ip 192.168.171.0 255.255.255.0 10.30.0.0 255.255.252.0 (hitcnt=4270) 0x485df578
access-list internet_cryptomap_5 line 1 extended permit ip 10.10.70.0 255.255.255.0 10.30.0.0 255.255.252.0 (hitcnt=53) 0xe98769e8
access-list internet_cryptomap_5 line 1 extended permit ip 172.31.253.0 255.255.255.0 10.30.0.0 255.255.252.0 (hitcnt=77) 0xb4e8e3b8
access-list internet_cryptomap_5 line 1 extended permit ip 192.168.151.0 255.255.255.0 10.30.0.0 255.255.252.0 (hitcnt=82) 0x15edca13
access-list internet_cryptomap_5 line 1 extended permit ip 10.220.1.0 255.255.255.248 10.30.0.0 255.255.252.0 (hitcnt=12) 0xa2763e48

Result of the command: "show access-list outside_cryptomap_3"

access-list outside_cryptomap_3; 8 elements; name hash: 0x4c48cff2
access-list outside_cryptomap_3 line 1 extended permit ip object net-jkp-all object-group grp-CU_SEGB_NETWORKS_MAIN (hitcnt=10009) 0xd7740ed3
access-list outside_cryptomap_3 line 1 extended permit ip 10.30.0.0 255.255.252.0 195.22.76.128 255.255.255.128 (hitcnt=48) 0xadd23a18
access-list outside_cryptomap_3 line 1 extended permit ip 10.30.0.0 255.255.252.0 192.168.171.0 255.255.255.0 (hitcnt=5760) 0x2adbde57
access-list outside_cryptomap_3 line 1 extended permit ip 10.30.0.0 255.255.252.0 10.10.51.0 255.255.255.0 (hitcnt=6406) 0xe25a5b46
access-list outside_cryptomap_3 line 1 extended permit ip 10.30.0.0 255.255.252.0 10.10.52.0 255.255.255.0 (hitcnt=0) 0x7740f34c
access-list outside_cryptomap_3 line 1 extended permit ip 10.30.0.0 255.255.252.0 10.10.70.0 255.255.255.0 (hitcnt=250) 0xfbf9dc40
access-list outside_cryptomap_3 line 1 extended permit ip 10.30.0.0 255.255.252.0 172.31.253.0 255.255.255.0 (hitcnt=20) 0xb843c24f
access-list outside_cryptomap_3 line 1 extended permit ip 10.30.0.0 255.255.252.0 192.168.151.0 255.255.255.0 (hitcnt=20) 0x34dfca20
access-list outside_cryptomap_3 line 1 extended permit ip 10.30.0.0 255.255.252.0 host 10.220.1.3 (hitcnt=0) 0x936059e9

NAT 146...
nat (inside,outside) source static net-CU_SEJK_LAN_OFFICE_WIRED net-CU_SEJK_LAN_OFFICE_WIRED destination static grp-CU_SEGB_NETWORKS_MAIN grp-CU_SEGB_NETWORKS_MAIN no-proxy-arp route-lookup
nat (net-wifi,outside) source static net-CU_SEJK_LAN_OFFICE_INFRA net-CU_SEJK_LAN_OFFICE_INFRA destination static net-CR-SEGB_LAN_MGMT net-CR-SEGB_LAN_MGMT no-proxy-arp

NAT 195...
nat (cu-wifi_dev,cu-vpn) source static net-CU_LAN_OFFICE_WIFI_DEV net-CU_LAN_OFFICE_WIFI_DEV destination static net-CU_SEJK_LAN_OFFICE_WIRED net-CU_SEJK_LAN_OFFICE_WIRED no-proxy-arp
nat (management,cu-vpn) source static management-network management-network destination static net-CU_SEJK_LAN_OFFICE_WIFI net-CU_SEJK_LAN_OFFICE_WIFI no-proxy-arp description For AP <-> WLC access
nat (cu-dev_195.22.76.0,cu-vpn) source static net-CU_SEGB_LAN_DEV net-CU_SEGB_LAN_DEV destination static grp-CU_SEJK_NETWORKS_ALL grp-CU_SEJK_NETWORKS_ALL no-proxy-arp
nat (cu-vm,cu-vpn) source static net-CU_SEGB_LAN_VM net-CU_SEGB_LAN_VM destination static grp-CU_SEJK_NETWORKS_ALL grp-CU_SEJK_NETWORKS_ALL no-proxy-arp
nat (if-link-vpn,cu-vpn) source static host-gb-fw04 host-gb-fw04 destination static grp-CU_SEJK_NETWORKS_ALL grp-CU_SEJK_NETWORKS_ALL
nat (cu-office_wired_195.22.76.128,cu-vpn) source static net-CU_SEGB_LAN_OFFICE_WIRED net-CU_SEGB_LAN_OFFICE_WIRED destination static grp-CU_SEJK_NETWORKS_ALL grp-CU_SEJK_NETWORKS_ALL no-proxy-arp
nat (cu-mgmt,cu-vpn) source static net-CU_SEGB_LAN_MGMT net-CU_SEGB_LAN_MGMT destination static grp-CU_SEJK_NETWORKS_ALL grp-CU_SEJK_NETWORKS_ALL no-proxy-arp

Rob Ingram · ‎05-06-2021

@erikorrsjo

You are running ASA 9.14, groups 2 and 5 were recently depreciated, 14 is the default. Worthwhile confirming, but it would never have worked if mismatched.

In your logs I noted the initial_contact notification, which is used if a host crashes, restarts or if manually reset for some reason - in which case the IKEv2 SAs are cleared. I previously asked - "Have you determined why the VPN drops, do you have intermittent internet connection issues?" If other VPNs do not drop on the main ASA, check for communication issues on the other end.

erikorrsjo · ‎05-06-2021

No there are another VPN from that ASA as well, which is much more stable. (Endpoint on the other side of that is a Fortigate though, it does not use IKEv2 since it seems not quite compatible.)
I have no other indication on any disturbances on the internet line. But perhaps IKEv2 is extremly sensitive?

Rob Ingram · ‎05-06-2021

@erikorrsjo IKEv2 isn't more sensitive and I've implemented VPNs succesfully using it.

Log a call with TAC to help you troubleshoot further or use IKEv1 and test to determine whether you have the same issues.