site to site VPN keeps going down with a unrecognisable error code IKEv2 SA DOWN. Reason: unknown

flipflop · ‎09-18-2019

Sep 18 2019 03:53:36: %ASA-5-750007: Local:x.x.x.x:500 Remote:x.x.x.x:500 Username:x.x.x.x IKEv2 SA DOWN. Reason: unknown
Sep 18 2019 03:53:36: %ASA-4-113019: Group = x.x.x.x, Username = x.x.x.x, IP = x.x.x.x, Session disconnected. Session Type: LAN-to-LAN, Duration: 1h:02m:47s, Bytes xmt: 227326, Bytes rcv: 284076, Reason: Internal Error
Sep 18 2019 03:54:01: %ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = CRYPTO-MAP. Map Sequence Number = 1.

Between Sept 1 and Sept 18 this error has appeared 135 times and the VPN tunnel has reestablished back in a few seconds.

Cisco Adaptive Security Appliance Software Version 9.8(2)
Firepower Extensible Operating System Version 2.2(2.52)
Device Manager Version 7.8(2)

Compiled on Sun 27-Aug-17 13:06 PDT by builders
System image file is "disk0:/asa982-lfbff-k8.SPA"
Config file at boot was "startup-config"

NC-ASA up 195 days 23 hours

Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
Internal ATA Compact Flash, 8000MB
BIOS Flash M25P64 @ 0xfed01000, 16384KB

Please help ASAP. site is facing many issues because of this.

Thanks

Francesco Molino · ‎09-18-2019

Hi

What's the firewall on the other side? Same Cisco device like?

Did you ran some debug when this issue comes?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

flipflop · ‎09-18-2019

Hi Francesco

Otherwise is a ASA 5506 too. Running 9.6.1

and since we have this happening in random times I didn't run any debug platform or protocols yet.

Which debug do you suggest ? And is there any bug ? Plz help.

Thanks

Marvin Rhoads · ‎09-19-2019

Can you provide (as attachment) the "show tech" output from both ASAs (i.e. both ends of the VPN)?

flipflop · ‎09-19-2019

The issue is , the VPN tunnel keeps going down at NC-ASA (Local:72.93.32.122:500 Remote:24.214.135.3:500)

I have changed sensitive information like IP addresses and hostnames.

Thanks

Shiva

Marvin Rhoads · ‎09-19-2019

Your syr-asa has :

crypto map CRYPTO-MAP 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

A matching ikev1 transform set definition is missing on nc-asa. You should have the same transform sets on both - so add it on the nc-asa side

flipflop · ‎09-19-2019

Sure I will do that and check. Just to understand we use Ikev2 on the tunnel in question , so is it still going to be a problem ?. The tunnel keeps breaking down and it forms back in a few seconds.

i am still a beginner in security, so please don't mind me asking silly questions.

Thanks

flipflop · ‎09-23-2019

Even after adding the Transform sets the issue is occuring everyday.( at least 15-20 times )

Sep 22 2019 06:44:39: %ASA-5-750007: Local:7.9.3.1:500 Remote:2.2.1.3:500 Username:2.2.1.3 IKEv2 SA DOWN. Reason: unknown
Sep 22 2019 06:44:39: %ASA-4-113019: Group = 2.2.1.3, Username = 2.2.1.3, IP = 2.2.1.3, Session disconnected. Session Type: LAN-to-LAN, Duration: 1h:02m:47s, Bytes xmt: 205355, Bytes rcv: 287237, Reason: Internal Error

Please suggest .

Thanks

Marvin Rhoads · ‎09-23-2019

In my experience, debugging is the best next step at this point.

It can be challenging to analyze without support but we can try. Level 7 debugs typically suffice.

debug crypto condition peer <address of your peer gateway>
debug crypto ike-common 7
debug crypto ipsec 7

Make sure you are capturing debug output in your terminal (i.e log your terminal output to a file), save and post it for analysis.

Marvin Rhoads · ‎09-18-2019

If you're experiencing network or system down issues you should open a TAC case.

flipflop · ‎09-18-2019

Hi

Since this is a refurnished device there is no service contract.

Any help is appreciated.

Thanks