09-05-2023 06:07 AM
Hi All,
I am facing an issue whereby traffic suddenly stops passing over a VPN tunnel, even though the tunnel remains up. It appears that encapsulations & decapsulations stop and no one can connect to any endpoints via the tunnel. Performing a 'clear crypto ikev2 sa 1.2.3.4' fixes it, however this is happening frequently now and I or Cisco don't have a fix.
For some context, the FW's were recently upgraded to 9.16(4)27 which caused the issue to begin. The issue never happened prior to this. Cisco have confirmed there is no bug on this FW version for ipsec traffic to suddenly stop. The issue also only seems to happen on VPNs that have a higher traffic load.
The issue seems to happen when phase2 is renegotiated. It doesn't happen every time it renegotiates, which made me originally believe it was a bug. Some of the tunnels can go days without issues, then have 2 issues in 8 hours. I also seem to get the below statement in the log when it happens which I can't find anything about online (I think this may be a result of the tunnel not passing traffic though, and not the cause of it):
Local:172.1.2.3:500 Remote:5.6.7.8:500 Username:1.2.3.4 IKEv2 Negotiation aborted due to ERROR: Platform errors
I have provided some config snippet elements below - I'd be interested to see if anyone has any recommendations. Happy to provide more info
interface Tunnel99
ip address 11.11.11.11 255.255.255.252
tunnel source interface outside
tunnel destination 1.2.3.4
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsecprofile-AWS-XXX
crypto ipsec profile ipsecprofile-AWS-XXX
set ikev2 ipsec-proposal transform-AWS-XXXX
set pfs group14
set security-association lifetime seconds 3600
crypto ipsec ikev2 ipsec-proposal transform-AWS-XXXX
protocol esp encryption aes-256
protocol esp integrity sha-256
tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 ipsec-attributes
isakmp keepalive threshold 10 retry 3
ikev2 remote-authentication pre-shared-key XXXXX
ikev2 local-authentication pre-shared-key XXXXX
Thanks
09-05-2023 01:34 PM
This seem to be a bug in the software. If you esclated to senior cisco tac engineer?
Local:172.1.2.3:500 Remote:5.6.7.8:500 Username:1.2.3.4 IKEv2 Negotiation aborted due to ERROR: Platform errors
either a hardware or software errors on one or both.
(OR)
could be the configuration issue but agian this over-ride as you tunnel work and all of sudden it drop the traffic on phase two.
can you not revert/roll back to previous version. try to change the phase 2 psf value either uncheck it or decrease it.
05-21-2024 10:59 PM
Our VPN tunnel just died in the middel of the night. Eventually I had the same errors on 9.16(2)14, which indeed seems like a bug. Changing the IKE version to 2 ended up in this error. IKEv1 didn't work at all. After a reboot of the device all went back to normal.
We are going to upgrade the device to one of the latest versions.
05-22-2024 12:45 AM
Hi Roel,
The issue was identified and fixed for us. We upgraded to version 9.16(4)57. Bug ID CSCwi33817. Completely fixed the issues.
In the meantime, you shouldn’t need to reboot to restore the VPNs. Just a ‘clear crypto ikev2 sa’ should do the trick.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide