Cisco ASA VPN – Troubleshooting Regular Disconnections

cisconetwork accessvpn

We have Cisco ASA VPN IPSec with Sonicwall but we are seeing randomly after 8 hours or sometime 10 hours. I am unable to trace issue so just wonder is there a simple setting to renegotiate tunnel automatically or something like that? We want to keep this tunnel IP for ever, what could be wrong?

UPDATED config

crypto map external_map 100 match address VPN-ACL
crypto map external_map 100 set pfs
crypto map external_map 100 set peer 201.x.xx.xx 96.xx.xx.xx
crypto map external_map 100 set ikev2 ipsec-proposal ESP-AES128-SHA
crypto map external_map 65535 ipsec-isakmp dynamic external_dynamic_map
crypto map external_map interface external
crypto ikev2 policy 10
 encryption aes
 integrity sha
 group 2
 prf sha
 lifetime seconds 28800

tunnel-group 201.xx.xx.xx type ipsec-l2l
tunnel-group 201.xx.xx.xx ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

Logs:

2016-09-12 10:36:43 Local4.Warning  172.6.xx.xx fw01 %ASA-4-750003: Local:xx.xx.xxx.xxx:500 Remote:xx.xx.xx.xx:500 Username:Unknown IKEv2 Negotiation aborted due to ERROR: The peer's KE payload contained the wrong DH group

Command Output:

IKEv2 SAs:

Session-id:12204, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
992958129     3x.xx.xx.xx/500     172.6.xx.xx/500      READY    RESPONDER
      Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 28800/22805 sec
Child sa: local selector  172.16.xx.0/0 - 172.16.xx.255/65535
          remote selector 192.168.xx.0/0 - 192.168.xx.255/65535
          ESP spi in/out: 0x1f9328de/0xa58a697d


fw0# sh crypto ipsec sa peer 172.6.xx.xx
peer address: 172.6.xx.xx
    Crypto map tag: external_map, seq num: 100, local addr: 3x.xx.xx.xx

      access-list VPN-ACL extended permit ip 172.16.xx.0 255.255.255.0 192.168.xx.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.16.xx.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.xx.0/255.255.255.0/0/0)
      current_peer: 172.6.xx.xx


      #pkts encaps: 1300384, #pkts encrypt: 1300384, #pkts digest: 1300384
      #pkts decaps: 1571043, #pkts decrypt: 1571043, #pkts verify: 1571043
      #pkts compressed: 0, #pkts decompressed: 0
     #pkts not compressed: 1300384, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 3x.xx.xx.xx/500, remote crypto endpt.: 172.6.xx.xx/500
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: A58A697D
      current inbound spi : 1F9328DE

    inbound esp sas:
      spi: 0x1F9328DE (529737950)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
         slot: 0, conn_id: 113205248, crypto-map: external_map
         sa timing: remaining key lifetime (kB/sec): (3881171/62699)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
          0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
          0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
          0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
          0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
          0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
          0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
          0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xA58A697D (2777311613)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
         slot: 0, conn_id: 113205248, crypto-map: external_map
         sa timing: remaining key lifetime (kB/sec): (3687630/62699)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000000 0x00000000 0x00000001
          0x00000000 0x00000000 0x00000000 0x00000000
          0x00000000 0x00000000 0x00000000 0x00000000
          0x00000000 0x00000000 0x00000000 0x00000000
          0x00000000 0x00000000 0x00000000 0x00000000
          0x00000000 0x00000000 0x00000000 0x00000000
          0x00000000 0x00000000 0x00000000 0x00000000
          0x00000000 0x00000000 0x00000000 0x00000000

satus

Best Answer

I see there is no Phase 2 timeout set, try adding an hour association on both peers

crypto map external_map 100 set security-association lifetime seconds 3600

Related Topic