cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8940
Views
0
Helpful
10
Replies

site to site VPN keeps going down with a unrecognisable error code IKEv2 SA DOWN. Reason: unknown

flipflop
Level 1
Level 1

Sep 18 2019 03:53:36: %ASA-5-750007: Local:x.x.x.x:500 Remote:x.x.x.x:500 Username:x.x.x.x IKEv2 SA DOWN. Reason: unknown
Sep 18 2019 03:53:36: %ASA-4-113019: Group = x.x.x.x, Username = x.x.x.x, IP = x.x.x.x, Session disconnected. Session Type: LAN-to-LAN, Duration: 1h:02m:47s, Bytes xmt: 227326, Bytes rcv: 284076, Reason: Internal Error
Sep 18 2019 03:54:01: %ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = CRYPTO-MAP. Map Sequence Number = 1.

 

Between Sept 1 and Sept 18 this error has appeared 135 times and the VPN tunnel has reestablished back in a few seconds.

 

Cisco Adaptive Security Appliance Software Version 9.8(2)
Firepower Extensible Operating System Version 2.2(2.52)
Device Manager Version 7.8(2)

Compiled on Sun 27-Aug-17 13:06 PDT by builders
System image file is "disk0:/asa982-lfbff-k8.SPA"
Config file at boot was "startup-config"

NC-ASA up 195 days 23 hours

Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
Internal ATA Compact Flash, 8000MB
BIOS Flash M25P64 @ 0xfed01000, 16384KB

Please help ASAP. site is facing many issues because of this.

Thanks

 

10 Replies 10

Francesco Molino
VIP Alumni
VIP Alumni
Hi

What's the firewall on the other side? Same Cisco device like?

Did you ran some debug when this issue comes?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi Francesco

 

Otherwise is a ASA 5506 too. Running 9.6.1

 

and since we have this happening in random times I didn't run any debug platform or protocols yet. 

 

Which debug do you suggest ? And is there any bug ? Plz help.

 

Thanks

Can you provide (as attachment) the "show tech" output from both ASAs (i.e. both ends of the VPN)?

The issue is , the VPN tunnel keeps going down at NC-ASA (Local:72.93.32.122:500 Remote:24.214.135.3:500)

 

I have changed sensitive information like IP addresses and hostnames.

 

Thanks

Shiva

 

 

Your syr-asa has :

crypto map CRYPTO-MAP 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

A matching ikev1 transform set definition is missing on nc-asa. You should have the same transform sets on both - so add it on the nc-asa side 

 

Sure I will do that and check. Just to understand we use Ikev2 on the tunnel in question , so is it still going to be a problem ?. The tunnel keeps breaking down and it forms back in a few seconds. 

i am still a beginner in security, so please don't mind me asking silly questions.

 

Thanks

 

 

Even after adding the Transform sets the issue is occuring everyday.( at least 15-20 times )

 

Sep 22 2019 06:44:39: %ASA-5-750007: Local:7.9.3.1:500 Remote:2.2.1.3:500 Username:2.2.1.3 IKEv2 SA DOWN. Reason: unknown
Sep 22 2019 06:44:39: %ASA-4-113019: Group = 2.2.1.3, Username = 2.2.1.3, IP = 2.2.1.3, Session disconnected. Session Type: LAN-to-LAN, Duration: 1h:02m:47s, Bytes xmt: 205355, Bytes rcv: 287237, Reason: Internal Error

  Please suggest .

 

Thanks

In my experience, debugging is the best next step at this point.

It can be challenging to analyze without support but we can try. Level 7 debugs typically suffice.

debug crypto condition peer <address of your peer gateway>
debug crypto ike-common 7
debug crypto ipsec 7

Make sure you are capturing debug output in your terminal (i.e log your terminal output to a file), save and post it for analysis.

Marvin Rhoads
Hall of Fame
Hall of Fame

If you're experiencing network or system down issues you should open a TAC case.

Hi

Since this is a refurnished device there is no service contract.

Any help is appreciated.

 

Thanks