Hello everyone,
I am at a loss here, we have a Site-to-Site VPN from our Datacenter to one of our customers. We manage both sides of the VPN tunnel. On the DC side we have a Cisco ASA 5525-X on 9.6(4)34 and on the customer side we have a Cisco ASA 5506-X also on 9.6(4)34.
The VPN tunnel is a simple IKEv2 Site-to-Site VPN without NAT-T.
Every 2 hours and some 30 seconds the IKEv2 SA drops out and forces the tunnel te be rebuilt immediately. The result is a loss of connectivity for about 1~2 seconds. I have not been able to find the cause of the issue.
Both sides are configured exactly the same, they are both running on the same ASA version (latest Interim on 9.6(4)). We keep track of informational log messages on the ASA "vpn" logging class on both sides. The DC side reports the following when the IKEv2 SA is being torn down.
%ASA-4-113019: Group = <ip\_customer>, Username = <ip\_customer>, IP = <ip\_customer> Session disconnected. Session Type: LAN-to-LAN, Duration: 2h:00m:29s, Bytes xmt: 662624342, Bytes rcv: 185154622, Reason: User Requested
The customer side reports two different messages (there is no pattern to which message is displayed when) when the IKEv2 SA is being torn down.
Sometimes it is a "operator request".
%ASA-5-750007: Local:<ip\_customer>:500 Remote:<ip\_datacenter>:500 Username:<ip\_datacenter> IKEv2 SA DOWN. Reason: operator request
Sometimes it is "application initiated"
Looking up this message in Cisco docs (https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html#con_6774730) brings up the following:
750007
Error Message %ASA-5-750007: Local: local IP: local port Remote: remote IP: remote port Username: username SA DOWN. Reason: reason
Explanation An SA was torn down or deleted for the given reason, such as a request by the peer, operator request (via an administrator action), rekey, and so on.
local IP:local port — Local IP address for this request. The ASA IP address and port number used for this connection
remote IP:remote port — Remote IP address for this request. Peer IP address and port number that the connection is coming from
username —Username of the requester for remote access, if known yet
reason —Reason that the SA came into the DOWN state
Recommended Action None required.
I am pretty certain that I am not logging out the VPN tunnel every 2 hours and 30 seconds, also our logging doesn't see any logged in admin sessions nor do we have any automated scripts that logout the VPN. What the "application initiated" log means, I cannot find any information about that.
At first I through it might be due to some DPD issue, however the counters on both ASA's showed that the DPD in/out counters were identical (which means that the DPD exchanges are succesful). To rule out DPD I have disabled ISAKMP keepalive (DPD) to make sure a buggy DPD wasn't causing the ASA to force the IKEv2 SA down, this yielded no result (still every 2 hours and 30 seconds the IKEv2 SA goes down).
The IKEv2 platform and protocol debugs (debug crypto ikev2 platform 127, debug crypto ikev2 protocol 127) don't show anything in the leadup to the IKEv2 SA going down, only the setup of the SA directly thereafter.
Does anyone have ideas what to do next? Cisco TAC is also an option, but I would like to make that a last resort.
Thanks!
No comments:
Post a Comment