Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
522
Views
2
Helpful
3
Replies

VPN Intermittently Dropping to AWS (ASA 5516)

oliclarke7
Level 1
Level 1

‎09-05-2023 06:07 AM

Hi All,

I am facing an issue whereby traffic suddenly stops passing over a VPN tunnel, even though the tunnel remains up. It appears that encapsulations & decapsulations stop and no one can connect to any endpoints via the tunnel. Performing a 'clear crypto ikev2 sa 1.2.3.4' fixes it, however this is happening frequently now and I or Cisco don't have a fix.

For some context, the FW's were recently upgraded to 9.16(4)27 which caused the issue to begin. The issue never happened prior to this. Cisco have confirmed there is no bug on this FW version for ipsec traffic to suddenly stop. The issue also only seems to happen on VPNs that have a higher traffic load.

The issue seems to happen when phase2 is renegotiated. It doesn't happen every time it renegotiates, which made me originally believe it was a bug. Some of the tunnels can go days without issues, then have 2 issues in 8 hours. I also seem to get the below statement in the log when it happens which I can't find anything about online (I think this may be a result of the tunnel not passing traffic though, and not the cause of it):

Local:172.1.2.3:500 Remote:5.6.7.8:500 Username:1.2.3.4 IKEv2 Negotiation aborted due to ERROR: Platform errors

I have provided some config snippet elements below - I'd be interested to see if anyone has any recommendations. Happy to provide more info

interface Tunnel99
ip address 11.11.11.11 255.255.255.252
tunnel source interface outside
tunnel destination 1.2.3.4
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsecprofile-AWS-XXX

crypto ipsec profile ipsecprofile-AWS-XXX
set ikev2 ipsec-proposal transform-AWS-XXXX
set pfs group14
set security-association lifetime seconds 3600

crypto ipsec ikev2 ipsec-proposal transform-AWS-XXXX
protocol esp encryption aes-256
protocol esp integrity sha-256

tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 ipsec-attributes
isakmp keepalive threshold 10 retry 3
ikev2 remote-authentication pre-shared-key XXXXX
ikev2 local-authentication pre-shared-key XXXXX

Thanks

Labels:
0 Helpful
3 Replies 3

Sheraz.Salim
VIP
VIP

‎09-05-2023 01:34 PM

This seem to be a bug in the software. If you esclated to senior cisco tac engineer?

Local:172.1.2.3:500 Remote:5.6.7.8:500 Username:1.2.3.4 IKEv2 Negotiation aborted due to ERROR: Platform errors

either a hardware or software errors on one or both.

(OR)

could be the configuration issue but agian this over-ride as you tunnel work and all of sudden it drop the traffic on phase two.

 

can you not revert/roll back to previous version. try to change the phase 2 psf value either uncheck it or decrease it.

please do not forget to rate.
0 Helpful

RoelG
Level 1
Level 1

‎05-21-2024 10:59 PM

Our VPN tunnel just died in the middel of the night. Eventually I had the same errors on 9.16(2)14, which indeed seems like a bug. Changing the IKE version to 2 ended up in this error. IKEv1 didn't work at all. After a reboot of the device all went back to normal.

We are going to upgrade the device to one of the latest versions.

0 Helpful

oliclarke7
Level 1
Level 1
In response to RoelG

‎05-22-2024 12:45 AM

Hi Roel,

 

The issue was identified and fixed for us. We upgraded to version 9.16(4)57. Bug ID CSCwi33817. Completely fixed the issues.

 

In the meantime, you shouldn’t need to reboot to restore the VPNs. Just a ‘clear crypto ikev2 sa’ should do the trick.

 

Thanks

Customers Also Viewed These Support Documents