Solved: VPN session disconnected with reason IKE delete.

Rohit Patil · ‎05-19-2018

VPN tunnel gets reset for one of my peer IP with a reason IKE delete.Whenever this peer gets disconnect this always show reason IKE delete.What is the reason behind this error?

Also please find the snap for the same.

Device- ASA5545x software version 9.8.2
VPN parameters-
ikev2- AES256 SHA256
keep alive phase 1 - 86400
keep alive phase 2 - 28800

This problem is occurring after 8 hours.
Also this is an outbound VPN so we are continuously hitting to their destination production servers even though there is a traffic on VPN still VPN is getting disconnected after 8 hours and reconnects within 60 sec.Find below the detailed configs-

#sh crypto ipsec sa peer x.x.x.x
peer address: x.x.x.x
Crypto map tag: outside_map, seq num: 47, local addr:x.x.x.x

access-list outside_cryptomap_48 extended permit ip host x.x.x.x host x.x.x.x
local ident (addr/mask/prot/port): (x.x.x.x/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (x.x.x.x/255.255.255.255/0/0)
current_peer: x.x.x.x

#pkts encaps: 42482, #pkts encrypt: 42482, #pkts digest: 42482
#pkts decaps: 37887, #pkts decrypt: 37887, #pkts verify: 37887
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 42482, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: x.x.x.x/500, remote crypto endpt.: x.x.x.150/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 0BA0445E
current inbound spi : A796CCC4

inbound esp sas:
spi: 0xA796CCC4 (2811677892)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 11837440, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4232928/19048)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x0BA0445E (195052638)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 11837440, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3906674/19048)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Rohit Patil
Network Engineer

Dennis Mink · ‎05-20-2018

what is on the remote end of the vpn? an asa as well?

also, did you try enabling the ike keepalives? if you are sending constant interesting traffic the key lifetimes will expire after like 28800 seconds, but will renegotiate. change the lifetime and see if it deletes less often

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

Rohit Patil · ‎05-19-2018

Rohit Patil
Network Engineer

Dennis Mink · ‎05-20-2018

what is on the remote end of the vpn? an asa as well?

also, did you try enabling the ike keepalives? if you are sending constant interesting traffic the key lifetimes will expire after like 28800 seconds, but will renegotiate. change the lifetime and see if it deletes less often

Please remember to rate useful posts, by clicking on the stars below.

Rohit Patil · ‎05-20-2018

At remote end they have Dell sonicwall firewall.
if you are sending constant interesting traffic the key lifetimes will expire after like 28800 seconds, but will renegotiate. ------Yes,it is renegotiating but it is getting showing IKE delete and we are losing the our existing connections while for other tunnels we are not observing any connection loss while renegotiating ...

Rohit Patil
Network Engineer