cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IPsec re-keying between MX68 and ASA5525 sometimes fails

Highlighted
Conversationalist

IPsec re-keying between MX68 and ASA5525 sometimes fails

Hello,

 

I am having this issue that Ipsec VPN re-keying between ASA5525 and MX68 sometimes fails.

 

This issue happens about once a week.

I have a workaround for the issue which is clearing ikev1 sa and ipsec sa on ASA side but I would like to know the root cause of this issue.

 

I read this somewhere that lifetime of ike1 tunnel should always be greater than lifetime of ipsec tunnel (although I could not find the reason of this practice.)

 

My current config is not following this practice. means that phase 1 and phase 2 have the same lifetime at this moment.

Could this config cause this re-key issue?

 

I see these logs on ASA side:

Removing peer from correlator table failed, no match!

All IPSec SA proposals found unacceptable!

 

I

Best regards,

Tats

4 REPLIES 4
Highlighted
Kind of a big deal

Re: IPsec re-keying between MX68 and ASA5525 sometimes fails

>My current config is not following this practice. means that phase 1 and phase 2

 

There is nothing wrong with them having the same lifetime.  Don't change that.

 

>All IPSec SA proposals found unacceptable!

 

This is frequently because of a difference in the source and destination encryption domains between the two ends.

Conversationalist

Re: IPsec re-keying between MX68 and ASA5525 sometimes fails

Hi Philip,

 

Thanks for your reply.

 

Ok I will keep the lifetime as it is.

 

>This is frequently because of a difference in the source and destination encryption domains between the two ends.

I do not quite get what this means. can you explain?

 

Highlighted
Kind of a big deal

Re: IPsec re-keying between MX68 and ASA5525 sometimes fails

The ASA will have an access-list saying what to encrypt.  It must exactly match what the MX has been told to encrypt.

Highlighted
Conversationalist

Re: IPsec re-keying between MX68 and ASA5525 sometimes fails

Thanks Philip,

 

Ok now i see.

Yes, I have the exactly same ACLs that match bidirectionally.

 

One thing I noticed in ASDM that I have data lifetime set to the default value 4GB although this config is not seen on the running-config. I will set it to unlimited to see if this helps.

 

Regards,

Tats

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.