cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Third-party site-to-site vpn failing/recovering at random

SOLVED
Highlighted
Kind of a big deal

Third-party site-to-site vpn failing/recovering at random

I have a site to site tunnel between an ASA5525 and an MX65. I control both ends.

 

Tunnel had been running successfully for several months, so far as my team was aware. Recently, it's begun failing at random then recovering after 5-20 minutes without us doing anything.

 

When I review the event log on the MX, I see from earliest to latest:

 

1. msg: IPsec-SA expired: ESP/Tunnel

2. msg: initiate new phase 2 negotiation

3. msg: notification NO-PROPOSAL-CHOSEN received in informational exchange (repeats 5 times)

 

Cycle repeats for 5-20 minutes, then tunnel establishes p2 again just fine.

 

I've confirmed that both phase 1 and phase 2 match on each end. Coworkers looked too! But we're still getting this behavior.

 

Current settings:

 

p1: 3DES/SHA1/DH2/Lifetime 28800

p2: AES256/SHA1/no PFS/28800

 

Anyone have any suggestions? I have filed a more detailed ticket with Support.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Kind of a big deal

Re: Third-party site-to-site vpn failing/recovering at random

So my subnets and settings all matched. The culprit here?

 

The MX was set to force NAT-T. After having support disable it on the back end, magically my tunnel has been stable. I can't find NO-PROPOSAL-CHOSEN errors in the logs in the last twenty four hours, instead of seeing them every hour or so.

 

Ran into the idea from some older threads on this very forum.

 

I didn't want to be That Person who fixed the problem and then never came back to say how.

View solution in original post

2 REPLIES 2
Highlighted
Here to help

Re: Third-party site-to-site vpn failing/recovering at random

no-proposal-chosen is chosend is mainly due to mismatched phase 2 security association.

Can you share screenshots of both side Lifetime, IKE Version, Mode, PFS etc

Highlighted
Kind of a big deal

Re: Third-party site-to-site vpn failing/recovering at random

So my subnets and settings all matched. The culprit here?

 

The MX was set to force NAT-T. After having support disable it on the back end, magically my tunnel has been stable. I can't find NO-PROPOSAL-CHOSEN errors in the logs in the last twenty four hours, instead of seeing them every hour or so.

 

Ran into the idea from some older threads on this very forum.

 

I didn't want to be That Person who fixed the problem and then never came back to say how.

View solution in original post

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.