05-19-2018 12:16 PM - edited 03-12-2019 05:18 AM
VPN tunnel gets reset for one of my peer IP with a reason IKE delete.Whenever this peer gets disconnect this always show reason IKE delete.What is the reason behind this error?
Also please find the snap for the same.
Device- ASA5545x software version 9.8.2
VPN parameters-
ikev2- AES256 SHA256
keep alive phase 1 - 86400
keep alive phase 2 - 28800
This problem is occurring after 8 hours.
Also this is an outbound VPN so we are continuously hitting to their destination production servers even though there is a traffic on VPN still VPN is getting disconnected after 8 hours and reconnects within 60 sec.Find below the detailed configs-
#sh crypto ipsec sa peer x.x.x.x
peer address: x.x.x.x
Crypto map tag: outside_map, seq num: 47, local addr:x.x.x.x
access-list outside_cryptomap_48 extended permit ip host x.x.x.x host x.x.x.x
local ident (addr/mask/prot/port): (x.x.x.x/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (x.x.x.x/255.255.255.255/0/0)
current_peer: x.x.x.x
#pkts encaps: 42482, #pkts encrypt: 42482, #pkts digest: 42482
#pkts decaps: 37887, #pkts decrypt: 37887, #pkts verify: 37887
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 42482, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.x/500, remote crypto endpt.: x.x.x.150/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 0BA0445E
current inbound spi : A796CCC4
inbound esp sas:
spi: 0xA796CCC4 (2811677892)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 11837440, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4232928/19048)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x0BA0445E (195052638)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 11837440, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3906674/19048)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Solved! Go to Solution.
05-20-2018 04:11 AM
what is on the remote end of the vpn? an asa as well?
also, did you try enabling the ike keepalives? if you are sending constant interesting traffic the key lifetimes will expire after like 28800 seconds, but will renegotiate. change the lifetime and see if it deletes less often
05-19-2018 12:35 PM - edited 05-19-2018 04:19 PM
05-20-2018 04:11 AM
what is on the remote end of the vpn? an asa as well?
also, did you try enabling the ike keepalives? if you are sending constant interesting traffic the key lifetimes will expire after like 28800 seconds, but will renegotiate. change the lifetime and see if it deletes less often
05-20-2018 10:30 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide