IPsec re-keying between MX68 and ASA5525 sometimes fails

Tats
Conversationalist

IPsec re-keying between MX68 and ASA5525 sometimes fails

Hello,

 

I am having this issue that Ipsec VPN re-keying between ASA5525 and MX68 sometimes fails.

 

This issue happens about once a week.

I have a workaround for the issue which is clearing ikev1 sa and ipsec sa on ASA side but I would like to know the root cause of this issue.

 

I read this somewhere that lifetime of ike1 tunnel should always be greater than lifetime of ipsec tunnel (although I could not find the reason of this practice.)

 

My current config is not following this practice. means that phase 1 and phase 2 have the same lifetime at this moment.

Could this config cause this re-key issue?

 

I see these logs on ASA side:

Removing peer from correlator table failed, no match!

All IPSec SA proposals found unacceptable!

 

I

Best regards,

Tats

4 REPLIES 4
PhilipDAth
Kind of a big deal
Kind of a big deal

>My current config is not following this practice. means that phase 1 and phase 2

 

There is nothing wrong with them having the same lifetime.  Don't change that.

 

>All IPSec SA proposals found unacceptable!

 

This is frequently because of a difference in the source and destination encryption domains between the two ends.

Tats
Conversationalist

Hi Philip,

 

Thanks for your reply.

 

Ok I will keep the lifetime as it is.

 

>This is frequently because of a difference in the source and destination encryption domains between the two ends.

I do not quite get what this means. can you explain?

 

PhilipDAth
Kind of a big deal
Kind of a big deal

The ASA will have an access-list saying what to encrypt.  It must exactly match what the MX has been told to encrypt.

Tats
Conversationalist

Thanks Philip,

 

Ok now i see.

Yes, I have the exactly same ACLs that match bidirectionally.

 

One thing I noticed in ASDM that I have data lifetime set to the default value 4GB although this config is not seen on the running-config. I will set it to unlimited to see if this helps.

 

Regards,

Tats

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels