We have Cisco ASA VPN IPSec
with Sonicwall but we are seeing randomly after 8 hours or sometime 10 hours. I am unable to trace issue so just wonder is there a simple setting to renegotiate tunnel automatically or something like that? We want to keep this tunnel IP for ever, what could be wrong?
UPDATED config
crypto map external_map 100 match address VPN-ACL
crypto map external_map 100 set pfs
crypto map external_map 100 set peer 201.x.xx.xx 96.xx.xx.xx
crypto map external_map 100 set ikev2 ipsec-proposal ESP-AES128-SHA
crypto map external_map 65535 ipsec-isakmp dynamic external_dynamic_map
crypto map external_map interface external
crypto ikev2 policy 10
encryption aes
integrity sha
group 2
prf sha
lifetime seconds 28800
tunnel-group 201.xx.xx.xx type ipsec-l2l
tunnel-group 201.xx.xx.xx ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
Logs:
2016-09-12 10:36:43 Local4.Warning 172.6.xx.xx fw01 %ASA-4-750003: Local:xx.xx.xxx.xxx:500 Remote:xx.xx.xx.xx:500 Username:Unknown IKEv2 Negotiation aborted due to ERROR: The peer's KE payload contained the wrong DH group
Command Output:
IKEv2 SAs:
Session-id:12204, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
992958129 3x.xx.xx.xx/500 172.6.xx.xx/500 READY RESPONDER
Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/22805 sec
Child sa: local selector 172.16.xx.0/0 - 172.16.xx.255/65535
remote selector 192.168.xx.0/0 - 192.168.xx.255/65535
ESP spi in/out: 0x1f9328de/0xa58a697d
fw0# sh crypto ipsec sa peer 172.6.xx.xx
peer address: 172.6.xx.xx
Crypto map tag: external_map, seq num: 100, local addr: 3x.xx.xx.xx
access-list VPN-ACL extended permit ip 172.16.xx.0 255.255.255.0 192.168.xx.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.xx.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.xx.0/255.255.255.0/0/0)
current_peer: 172.6.xx.xx
#pkts encaps: 1300384, #pkts encrypt: 1300384, #pkts digest: 1300384
#pkts decaps: 1571043, #pkts decrypt: 1571043, #pkts verify: 1571043
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1300384, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 3x.xx.xx.xx/500, remote crypto endpt.: 172.6.xx.xx/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: A58A697D
current inbound spi : 1F9328DE
inbound esp sas:
spi: 0x1F9328DE (529737950)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 113205248, crypto-map: external_map
sa timing: remaining key lifetime (kB/sec): (3881171/62699)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xA58A697D (2777311613)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 113205248, crypto-map: external_map
sa timing: remaining key lifetime (kB/sec): (3687630/62699)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000000 0x00000000 0x00000001
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
satus
Best Answer
I see there is no Phase 2 timeout set, try adding an hour association on both peers
crypto map external_map 100 set security-association lifetime seconds 3600