Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
857
Views
0
Helpful
2
Replies

VPN and tunnel interface

VyacheslavTuchkov94367
Level 1
Level 1

‎09-23-2021 02:10 AM

Hello

 

Configured a VPN tunnel between the Cisco router and NSX Edge Gateway. IKEv2 and Tunnel178 tunnel interface were used.
After some time, the logs began to appear about the fall and rise of the tunnel interface.
Example:

VRN-CISR-01 #
Sep 23 08: 50: 14.393:% LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel178, changed state to down
Sep 23 08: 50: 14.545:% LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel178, changed state to up

 

Reconnecting the interface is random, it can work for a few minutes, or maybe less than a minute.

VRN-CISR-01 # sh cry ikev2 sa
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf / ivrf Status
2 185.23.XXX.XXX/500 78.155.XXX.XXX/500 none / none READY
Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp: 14, Auth sign: PSK, Auth verify: PSK
Life / Active Time: 86400/65 sec

IPv6 Crypto IKEv2 SA

VRN-CISR-01 #

 

Running the ikev2 debug shows the following:

Sep 23 08: 42: 11.717: IKEv2: Checking for duplicate IPsec SA with same proxies
Sep 23 08: 42: 11.717: IKEv2-ERROR: IPsec SA with same proxies already exists
Sep 23 08: 42: 11.717: IKEv2-ERROR: (SESSION ID = 624, SA ID = 2) :: IPsec SA with same proxies already exists
Sep 23 08: 42: 11.717: IKEv2: (SESSION ID = 624, SA ID = 2): Sending temporary failure notify
Sep 23 08: 42: 11.717: IKEv2: (SESSION ID = 624, SA ID = 2): Building packet for encryption.
Payload contents:
NOTIFY (TEMPORARY FAILURE)

 

Tunnel from Cisco side:

 

crypto ikev2 proposal SBP02-PROP-1
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy SBP02-POL-1
proposal SBP02-PROP-1
!
crypto ikev2 keyring SPB02-KEYRING-1
peer CLOUD-SPB02
address 78.155.XXX.XXX
pre-shared-key local P@ssw0rd
pre-shared-key remote P@ssw0rd
!
crypto ikev2 profile SPB02-PROFILE-1
match identity remote address 78.155.XXX.XXX 255.255.255.255
identity local address 185.23.XXX.XXX
authentication remote pre-share
authentication local pre-share
keyring local SPB02-KEYRING-1
dpd 30 5 periodic
!
crypto ipsec transform-set SPB02-TS-1 esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile SPB02-PROFILE-1
set transform-set SPB02-TS-1
set ikev2-profile SPB02-PROFILE-1
set pfs group14
!
interface Tunnel 178
description "SPB02"
ip address 172.16.178.36 255.255.255.0
ip nat inside #
tunnel source dialer2
tunnel mode ipsec ipv4
tunnel destination 78.155.XXX.XXX
tunnel protection ipsec profile SPB02-PROFILE-1
!
ip route 10.178.0.0 255.255.0.0 Tunnel178
end
Labels:
0 Helpful
2 Replies 2

NetworkMonkey101
Level 1
Level 1

‎01-15-2024 03:57 AM

Did you ever solve this I have the same issue...

0 Helpful

MHM Cisco World
VIP
VIP
In response to NetworkMonkey101

‎01-15-2024 05:45 AM

make new post it better 
MHM

0 Helpful
Customers Also Viewed These Support Documents