IPSEC Phase 2 Duplicate Causes VPN Tunnel to get stuck
Harow last edited by Harow
I was wondering if someone can help, recently i've upgraded to:
built on Thu May 10 15:02:52 CDT 2018
I have received calls to say users can not access internet services or VOIP phones have gone down, when checking the situation I have noticed that there is a replication of the phase 2 which causes the issue. It looks like the old phase 2's are hanging and the new ones are passing traffic but due to the old established being kept the VPN is getting confused. After deleting the VPN phase 2 entries which are not sending or recieving any more it starts to work.
please note that this device is supporting 2 VPN's which looks like this:
MAIN BUILDING -----------> FIRST HOP 192.168.73.129/25 -------------> 192.168.157.0 & 192.168.72.129/25SECOND BUILDING
The entries with the negative rekey times should not be there.
What have you done with the phase 1 and phase 2 lifetimes, the disable rekey checkbox, and the margin times?
The multiple P2s being shown look more like a symptom of the problem, not the cause. It looks like they are simply showing you there is a problem rekeying with the other side. What is on the other side?
Harow last edited by
@derelict a cisco firepower NGA.
P1 standard config no changes to margintime and lifetime 28800.
P2 lifetime 3600.
For some reason I think the rekey goes into minus until the lifetime expires.
While it is down you can also pcap the IPsec traffic and see what SPD it is arriving for.
Something between the two endpoints is getting out of sync, apparently.
I would take a really close look at the IPsec logs and see what's happening at re-key time.