Routers
--
Questions
--
Followers
Top Experts
VPN Randomly Disconnecting between Cisco and Azure
All,
A site to site VPN between a Cisco 2951 router and Azure is set up. The tunnel came up once it was configured but it had random disconnection every day. The disconnection happens two or three times everyday and it comes back by itself in some time (20~80 mins, not the same). My IOS version is 15.1 and I completly use the downloaded configuration from Azure.
At first I thought it was just internet instability but one time I tried to reset the VPN using 'clear crypto ikev2 sa remote x.x.x.x', the tunnel came up immediately. So it proved it was not an internet issue, it was definately a VPN configuration issue.
Instead of using the default configurations, I tried to modify the 'lifetime' feature for both phase 1 (28800s) and phase 2 (kilobytes 102400000 and 3600s). With no luck...
Below is the logs I recorded on my device. Any suggestions are appreciated!
Thanks
Patrick
~~~~~~~~~~~~~~~~~~~~~~~~~~
Jul 5 10:40:13: ISAKMP:(12598):R-U-THERE-A
Jul 5 10:40:31: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:40:31: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:40:31: IKEv2:(87): There was no IPSEC policy found for received TS
Jul 5 10:40:31: IKEv2:(87):
Jul 5 10:40:32: IKEv2:Packet is a retransmission
Jul 5 10:40:32: IKEv2:
Jul 5 10:40:33: IKEv2:Packet is a retransmission
Jul 5 10:40:33: IKEv2:
Jul 5 10:40:35: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6055, sequence number=1630460
Jul 5 10:40:38: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:40:38: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:40:38: IKEv2:(90): There was no IPSEC policy found for received TS
Jul 5 10:40:38: IKEv2:(90):
Jul 5 10:40:39: IKEv2:Packet is a retransmission
Jul 5 10:40:39: IKEv2:
Jul 5 10:40:40: IKEv2:Packet is a retransmission
Jul 5 10:40:40: IKEv2:
Jul 5 10:40:44: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:40:44: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:40:44: IKEv2:(93): There was no IPSEC policy found for received TS
Jul 5 10:40:44: IKEv2:(93):
Jul 5 10:40:45: IKEv2:Packet is a retransmission
Jul 5 10:40:45: IKEv2:
Jul 5 10:40:46: IKEv2:Packet is a retransmission
Jul 5 10:40:46: IKEv2:
Jul 5 10:41:46: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6045, sequence number=8027997
Jul 5 10:42:04: map_db_find_best did not find matching map
Jul 5 10:42:04: map_db_find_best did not find matching map
Jul 5 10:42:04: map_db_find_best did not find matching map
Jul 5 10:42:04: map_db_find_best did not find matching map
Jul 5 10:42:36: ISAKMP:(12592):R-U-THERE-A
Jul 5 10:42:52: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6055, sequence number=2744366
Jul 5 10:43:20: ISAKMP:(12601):R-U-THERE-A
Jul 5 10:43:53: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6055, sequence number=3225456
Jul 5 10:43:59: ISAKMP:(12590):R-U-THERE-A
Jul 5 10:45:00: ISAKMP:(12601):R-U-THERE-A
Jul 5 10:45:27: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6055, sequence number=3950107
Jul 5 10:45:31: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:45:31: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:45:31: IKEv2:(94): There was no IPSEC policy found for received TS
Jul 5 10:45:31: IKEv2:(94):
Jul 5 10:45:32: IKEv2:Packet is a retransmission
Jul 5 10:45:32: IKEv2:
Jul 5 10:45:34: IKEv2:Packet is a retransmission
Jul 5 10:45:34: IKEv2:
Jul 5 10:45:37: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:45:37: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:45:37: IKEv2:(97): There was no IPSEC policy found for received TS
Jul 5 10:45:37: IKEv2:(97):
Jul 5 10:45:38: IKEv2:Packet is a retransmission
Jul 5 10:45:38: IKEv2:
Jul 5 10:45:39: IKEv2:Packet is a retransmission
Jul 5 10:45:39: IKEv2:
Jul 5 10:45:44: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:45:44: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:45:44: IKEv2:(98): There was no IPSEC policy found for received TS
Jul 5 10:45:44: IKEv2:(98):
Jul 5 10:45:45: IKEv2:Packet is a retransmission
Jul 5 10:45:45: IKEv2:
Jul 5 10:45:46: IKEv2:Packet is a retransmission
Jul 5 10:45:46: IKEv2:
Jul 5 10:46:28: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6055, sequence number=4458381
Jul 5 10:47:24: map_db_find_best did not find matching map
Jul 5 10:47:24: map_db_find_best did not find matching map
Jul 5 10:47:34: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6055, sequence number=5001875
Jul 5 10:48:35: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6059, sequence number=200912
Jul 5 10:49:36: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6055, sequence number=6000555
Jul 5 10:49:44: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:49:44: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:49:45: IKEv2:(99): There was no IPSEC policy found for received TS
Jul 5 10:49:45: IKEv2:(99):
Jul 5 10:49:46: IKEv2:Packet is a retransmission
Jul 5 10:49:46: IKEv2:
Jul 5 10:49:47: IKEv2:Packet is a retransmission
Jul 5 10:49:47: IKEv2:
Jul 5 10:49:51: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:49:51: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:49:51: IKEv2:(100): There was no IPSEC policy found for received TS
Jul 5 10:49:51: IKEv2:(100):
Jul 5 10:49:52: IKEv2:Packet is a retransmission
Jul 5 10:49:52: IKEv2:
Jul 5 10:49:53: IKEv2:Packet is a retransmission
Jul 5 10:49:53: IKEv2:
Jul 5 10:49:57: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:49:57: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:49:57: IKEv2:(101): There was no IPSEC policy found for received TS
Jul 5 10:49:57: IKEv2:(101):
Jul 5 10:49:58: IKEv2:Packet is a retransmission
Jul 5 10:49:58: IKEv2:
Jul 5 10:49:59: IKEv2:Packet is a retransmission
Jul 5 10:49:59: IKEv2:
Jul 5 10:50:22: ISAKMP:(12598):R-U-THERE-A
Jul 5 10:50:22: ISAKMP:(12597):R-U-THERE-A
Jul 5 10:50:31: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:50:31: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:50:32: IKEv2:(102): There was no IPSEC policy found for received TS
Jul 5 10:50:32: IKEv2:(102):
Jul 5 10:50:33: IKEv2:Packet is a retransmission
Jul 5 10:50:33: IKEv2:
Jul 5 10:50:34: IKEv2:Packet is a retransmission
Jul 5 10:50:34: IKEv2:
Jul 5 10:50:36: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6055, sequence number=6475938
Jul 5 10:50:39: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:50:39: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:50:39: IKEv2:(103): There was no IPSEC policy found for received TS
Jul 5 10:50:39: IKEv2:(103):
Jul 5 10:50:40: IKEv2:Packet is a retransmission
Jul 5 10:50:40: IKEv2:
Jul 5 10:50:41: IKEv2:Packet is a retransmission
Jul 5 10:50:41: IKEv2:
Jul 5 10:50:46: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:50:46: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:50:46: IKEv2:(104): There was no IPSEC policy found for received TS
Jul 5 10:50:46: IKEv2:(104):
Jul 5 10:50:47: IKEv2:Packet is a retransmission
Jul 5 10:50:47: IKEv2:
Jul 5 10:50:48: IKEv2:Packet is a retransmission
Jul 5 10:50:48: IKEv2:
Jul 5 10:51:36: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6055, sequence number=6927837
Jul 5 10:51:38: ISAKMP:(12598):R-U-THERE-A
Jul 5 10:52:37: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6055, sequence number=7381431
Jul 5 10:53:15: map_db_find_best did not find matching map
Jul 5 10:53:15: map_db_find_best did not find matching map
Jul 5 10:53:37: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6055, sequence number=7825717
Jul 5 10:54:38: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6055, sequence number=8294412
Jul 5 10:55:31: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:55:31: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:55:31: IKEv2:(105): There was no IPSEC policy found for received TS
Jul 5 10:55:31: IKEv2:(105):
Jul 5 10:55:32: IKEv2:Packet is a retransmission
Jul 5 10:55:32: IKEv2:
Jul 5 10:55:33: IKEv2:Packet is a retransmission
Jul 5 10:55:33: IKEv2:
Jul 5 10:55:37: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:55:37: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:55:37: IKEv2:(106): There was no IPSEC policy found for received TS
Jul 5 10:55:37: IKEv2:(106):
Jul 5 10:55:38: IKEv2:Packet is a retransmission
Jul 5 10:55:38: IKEv2:
Jul 5 10:55:39: IKEv2:Packet is a retransmission
Jul 5 10:55:39: IKEv2:
Jul 5 10:55:45: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:55:45: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:55:45: IKEv2:(107): There was no IPSEC policy found for received TS
Jul 5 10:55:45: IKEv2:(107):
Jul 5 10:55:46: IKEv2:Packet is a retransmission
Jul 5 10:55:46: IKEv2:
Jul 5 10:55:47: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6055, sequence number=8860320
Jul 5 10:55:47: IKEv2:Packet is a retransmission
Jul 5 10:55:47: IKEv2:
Jul 5 10:56:00: %SEC_LOGIN-5-LOGIN_SUCCESS
Jul 5 10:56:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel7, changed state to down
Jul 5 10:56:50: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6055, sequence number=9368268
Jul 5 10:57:10: IKEv2:(104): Maximum number of retransmissions reached
Jul 5 10:57:10: IKEv2:(104):
Jul 5 10:57:10: IKEv2:(104): Create child exchange failed
Jul 5 10:57:10: IKEv2:(104):
Jul 5 10:57:59: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6063, sequence number=206144
Jul 5 10:58:50: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel7, changed state to up
A site to site VPN between a Cisco 2951 router and Azure is set up. The tunnel came up once it was configured but it had random disconnection every day. The disconnection happens two or three times everyday and it comes back by itself in some time (20~80 mins, not the same). My IOS version is 15.1 and I completly use the downloaded configuration from Azure.
At first I thought it was just internet instability but one time I tried to reset the VPN using 'clear crypto ikev2 sa remote x.x.x.x', the tunnel came up immediately. So it proved it was not an internet issue, it was definately a VPN configuration issue.
Instead of using the default configurations, I tried to modify the 'lifetime' feature for both phase 1 (28800s) and phase 2 (kilobytes 102400000 and 3600s). With no luck...
Below is the logs I recorded on my device. Any suggestions are appreciated!
Thanks
Patrick
~~~~~~~~~~~~~~~~~~~~~~~~~~
Jul 5 10:40:13: ISAKMP:(12598):R-U-THERE-A
Jul 5 10:40:31: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:40:31: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:40:31: IKEv2:(87): There was no IPSEC policy found for received TS
Jul 5 10:40:31: IKEv2:(87):
Jul 5 10:40:32: IKEv2:Packet is a retransmission
Jul 5 10:40:32: IKEv2:
Jul 5 10:40:33: IKEv2:Packet is a retransmission
Jul 5 10:40:33: IKEv2:
Jul 5 10:40:35: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6055, sequence number=1630460
Jul 5 10:40:38: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:40:38: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:40:38: IKEv2:(90): There was no IPSEC policy found for received TS
Jul 5 10:40:38: IKEv2:(90):
Jul 5 10:40:39: IKEv2:Packet is a retransmission
Jul 5 10:40:39: IKEv2:
Jul 5 10:40:40: IKEv2:Packet is a retransmission
Jul 5 10:40:40: IKEv2:
Jul 5 10:40:44: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:40:44: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:40:44: IKEv2:(93): There was no IPSEC policy found for received TS
Jul 5 10:40:44: IKEv2:(93):
Jul 5 10:40:45: IKEv2:Packet is a retransmission
Jul 5 10:40:45: IKEv2:
Jul 5 10:40:46: IKEv2:Packet is a retransmission
Jul 5 10:40:46: IKEv2:
Jul 5 10:41:46: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6045, sequence number=8027997
Jul 5 10:42:04: map_db_find_best did not find matching map
Jul 5 10:42:04: map_db_find_best did not find matching map
Jul 5 10:42:04: map_db_find_best did not find matching map
Jul 5 10:42:04: map_db_find_best did not find matching map
Jul 5 10:42:36: ISAKMP:(12592):R-U-THERE-A
Jul 5 10:42:52: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6055, sequence number=2744366
Jul 5 10:43:20: ISAKMP:(12601):R-U-THERE-A
Jul 5 10:43:53: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6055, sequence number=3225456
Jul 5 10:43:59: ISAKMP:(12590):R-U-THERE-A
Jul 5 10:45:00: ISAKMP:(12601):R-U-THERE-A
Jul 5 10:45:27: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6055, sequence number=3950107
Jul 5 10:45:31: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:45:31: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:45:31: IKEv2:(94): There was no IPSEC policy found for received TS
Jul 5 10:45:31: IKEv2:(94):
Jul 5 10:45:32: IKEv2:Packet is a retransmission
Jul 5 10:45:32: IKEv2:
Jul 5 10:45:34: IKEv2:Packet is a retransmission
Jul 5 10:45:34: IKEv2:
Jul 5 10:45:37: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:45:37: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:45:37: IKEv2:(97): There was no IPSEC policy found for received TS
Jul 5 10:45:37: IKEv2:(97):
Jul 5 10:45:38: IKEv2:Packet is a retransmission
Jul 5 10:45:38: IKEv2:
Jul 5 10:45:39: IKEv2:Packet is a retransmission
Jul 5 10:45:39: IKEv2:
Jul 5 10:45:44: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:45:44: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:45:44: IKEv2:(98): There was no IPSEC policy found for received TS
Jul 5 10:45:44: IKEv2:(98):
Jul 5 10:45:45: IKEv2:Packet is a retransmission
Jul 5 10:45:45: IKEv2:
Jul 5 10:45:46: IKEv2:Packet is a retransmission
Jul 5 10:45:46: IKEv2:
Jul 5 10:46:28: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6055, sequence number=4458381
Jul 5 10:47:24: map_db_find_best did not find matching map
Jul 5 10:47:24: map_db_find_best did not find matching map
Jul 5 10:47:34: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6055, sequence number=5001875
Jul 5 10:48:35: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6059, sequence number=200912
Jul 5 10:49:36: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6055, sequence number=6000555
Jul 5 10:49:44: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:49:44: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:49:45: IKEv2:(99): There was no IPSEC policy found for received TS
Jul 5 10:49:45: IKEv2:(99):
Jul 5 10:49:46: IKEv2:Packet is a retransmission
Jul 5 10:49:46: IKEv2:
Jul 5 10:49:47: IKEv2:Packet is a retransmission
Jul 5 10:49:47: IKEv2:
Jul 5 10:49:51: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:49:51: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:49:51: IKEv2:(100): There was no IPSEC policy found for received TS
Jul 5 10:49:51: IKEv2:(100):
Jul 5 10:49:52: IKEv2:Packet is a retransmission
Jul 5 10:49:52: IKEv2:
Jul 5 10:49:53: IKEv2:Packet is a retransmission
Jul 5 10:49:53: IKEv2:
Jul 5 10:49:57: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:49:57: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:49:57: IKEv2:(101): There was no IPSEC policy found for received TS
Jul 5 10:49:57: IKEv2:(101):
Jul 5 10:49:58: IKEv2:Packet is a retransmission
Jul 5 10:49:58: IKEv2:
Jul 5 10:49:59: IKEv2:Packet is a retransmission
Jul 5 10:49:59: IKEv2:
Jul 5 10:50:22: ISAKMP:(12598):R-U-THERE-A
Jul 5 10:50:22: ISAKMP:(12597):R-U-THERE-A
Jul 5 10:50:31: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:50:31: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:50:32: IKEv2:(102): There was no IPSEC policy found for received TS
Jul 5 10:50:32: IKEv2:(102):
Jul 5 10:50:33: IKEv2:Packet is a retransmission
Jul 5 10:50:33: IKEv2:
Jul 5 10:50:34: IKEv2:Packet is a retransmission
Jul 5 10:50:34: IKEv2:
Jul 5 10:50:36: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6055, sequence number=6475938
Jul 5 10:50:39: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:50:39: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:50:39: IKEv2:(103): There was no IPSEC policy found for received TS
Jul 5 10:50:39: IKEv2:(103):
Jul 5 10:50:40: IKEv2:Packet is a retransmission
Jul 5 10:50:40: IKEv2:
Jul 5 10:50:41: IKEv2:Packet is a retransmission
Jul 5 10:50:41: IKEv2:
Jul 5 10:50:46: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:50:46: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:50:46: IKEv2:(104): There was no IPSEC policy found for received TS
Jul 5 10:50:46: IKEv2:(104):
Jul 5 10:50:47: IKEv2:Packet is a retransmission
Jul 5 10:50:47: IKEv2:
Jul 5 10:50:48: IKEv2:Packet is a retransmission
Jul 5 10:50:48: IKEv2:
Jul 5 10:51:36: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6055, sequence number=6927837
Jul 5 10:51:38: ISAKMP:(12598):R-U-THERE-A
Jul 5 10:52:37: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6055, sequence number=7381431
Jul 5 10:53:15: map_db_find_best did not find matching map
Jul 5 10:53:15: map_db_find_best did not find matching map
Jul 5 10:53:37: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6055, sequence number=7825717
Jul 5 10:54:38: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6055, sequence number=8294412
Jul 5 10:55:31: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:55:31: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:55:31: IKEv2:(105): There was no IPSEC policy found for received TS
Jul 5 10:55:31: IKEv2:(105):
Jul 5 10:55:32: IKEv2:Packet is a retransmission
Jul 5 10:55:32: IKEv2:
Jul 5 10:55:33: IKEv2:Packet is a retransmission
Jul 5 10:55:33: IKEv2:
Jul 5 10:55:37: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:55:37: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:55:37: IKEv2:(106): There was no IPSEC policy found for received TS
Jul 5 10:55:37: IKEv2:(106):
Jul 5 10:55:38: IKEv2:Packet is a retransmission
Jul 5 10:55:38: IKEv2:
Jul 5 10:55:39: IKEv2:Packet is a retransmission
Jul 5 10:55:39: IKEv2:
Jul 5 10:55:45: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:55:45: IKEv2:Failed to retrieve Certificate Issuer list
Jul 5 10:55:45: IKEv2:(107): There was no IPSEC policy found for received TS
Jul 5 10:55:45: IKEv2:(107):
Jul 5 10:55:46: IKEv2:Packet is a retransmission
Jul 5 10:55:46: IKEv2:
Jul 5 10:55:47: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6055, sequence number=8860320
Jul 5 10:55:47: IKEv2:Packet is a retransmission
Jul 5 10:55:47: IKEv2:
Jul 5 10:56:00: %SEC_LOGIN-5-LOGIN_SUCCESS
Jul 5 10:56:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel7, changed state to down
Jul 5 10:56:50: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6055, sequence number=9368268
Jul 5 10:57:10: IKEv2:(104): Maximum number of retransmissions reached
Jul 5 10:57:10: IKEv2:(104):
Jul 5 10:57:10: IKEv2:(104): Create child exchange failed
Jul 5 10:57:10: IKEv2:(104):
Jul 5 10:57:59: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=6063, sequence number=206144
Jul 5 10:58:50: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel7, changed state to up
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
Can you post the VPN configuration from the 2951?
Hi aschaef217,
This is the configurations on 2951. I didn't modify it other than the 'lifetime' I mentioned in my email. Please let me know if it isn't enough.
crypto ikev2 proposal <RP_IkeProposal>
encryption aes-cbc-256 aes-cbc-128 3des
integrity sha1
group 2
exit
crypto ikev2 policy <RP_IkePolicy>
proposal <RP_IkeProposal>
exit
crypto ikev2 keyring <RP_IkeKeyring>
peer <SP_AzureGatewayIpAddress>
address <SP_AzureGatewayIpAddress>
pre-shared-key <SP_PresharedKey>
exit
exit
crypto ikev2 profile <RP_IkeProfile>
match address local interface <NameOfYourOutsideInterfac
match identity remote address <SP_AzureGatewayIpAddress>
authentication remote pre-share
authentication local pre-share
keyring local <RP_IkeKeyring>
lifetime 28800
exit
crypto ipsec transform-set <RP_IPSecTransformSet> esp-aes 256 esp-sha-hmac
mode tunnel
exit
crypto ipsec profile <RP_IPSecProfile>
set security-association lifetime kilobytes 102400000
set transform-set <RP_IPSecTransformSet>
set ikev2-profile <RP_IkeProfile>
exit
int tunnel 1
ip address 169.254.0.1 255.255.255.0
ip tcp adjust-mss 1350
tunnel source <NameOfYourOutsideInterfac
tunnel mode ipsec ipv4
tunnel destination <SP_AzureGatewayIpAddress>
tunnel protection ipsec profile <RP_IPSecProfile>
exit
ip route <SP_AzureNetworkCIDR> tunnel 1
This is the configurations on 2951. I didn't modify it other than the 'lifetime' I mentioned in my email. Please let me know if it isn't enough.
crypto ikev2 proposal <RP_IkeProposal>
encryption aes-cbc-256 aes-cbc-128 3des
integrity sha1
group 2
exit
crypto ikev2 policy <RP_IkePolicy>
proposal <RP_IkeProposal>
exit
crypto ikev2 keyring <RP_IkeKeyring>
peer <SP_AzureGatewayIpAddress>
address <SP_AzureGatewayIpAddress>
pre-shared-key <SP_PresharedKey>
exit
exit
crypto ikev2 profile <RP_IkeProfile>
match address local interface <NameOfYourOutsideInterfac
match identity remote address <SP_AzureGatewayIpAddress>
authentication remote pre-share
authentication local pre-share
keyring local <RP_IkeKeyring>
lifetime 28800
exit
crypto ipsec transform-set <RP_IPSecTransformSet> esp-aes 256 esp-sha-hmac
mode tunnel
exit
crypto ipsec profile <RP_IPSecProfile>
set security-association lifetime kilobytes 102400000
set transform-set <RP_IPSecTransformSet>
set ikev2-profile <RP_IkeProfile>
exit
int tunnel 1
ip address 169.254.0.1 255.255.255.0
ip tcp adjust-mss 1350
tunnel source <NameOfYourOutsideInterfac
tunnel mode ipsec ipv4
tunnel destination <SP_AzureGatewayIpAddress>
tunnel protection ipsec profile <RP_IPSecProfile>
exit
ip route <SP_AzureNetworkCIDR> tunnel 1
What's the default setting for 'keepalive' and 'dpd' features in Azure?
On my router I find there are global settings as below but I don't know if that matters:
crypto isakmp keepalive 10 periodic
crypto isakmp nat keepalive 20
On my router I find there are global settings as below but I don't know if that matters:
crypto isakmp keepalive 10 periodic
crypto isakmp nat keepalive 20
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
Do you know if you created a "Static Routing VPN Gateway" or a "Dynamic Routing VPN Gateway" when you setup the gateway on Azure for the VPN service?
Here are the default supported keepalive values for Azure
Phase 1 Security Association (SA) Lifetime (Time)
Static Routing GW - 28800 seconds
Dynamic Routing GW - 28800 seconds
Phase 2 Security Association (SA) Lifetime (Time)
Static Routing GW - 3600 seconds
Dynamic Routing GW - 3600 seconds
Phase 2 Security Association (SA) Lifetime (Throughput)
Static Routing GW - 102400000 KB
Dynamic Routing GW - 102400000 KB
Dead peer detection is supported on the Dynamic Routing VPN Gateway, but not on the Static Routing VPN Gateway.
Here are the default supported keepalive values for Azure
Phase 1 Security Association (SA) Lifetime (Time)
Static Routing GW - 28800 seconds
Dynamic Routing GW - 28800 seconds
Phase 2 Security Association (SA) Lifetime (Time)
Static Routing GW - 3600 seconds
Dynamic Routing GW - 3600 seconds
Phase 2 Security Association (SA) Lifetime (Throughput)
Static Routing GW - 102400000 KB
Dynamic Routing GW - 102400000 KB
Dead peer detection is supported on the Dynamic Routing VPN Gateway, but not on the Static Routing VPN Gateway.
Hi aschaef217,
Thanks for your answer. So in your theory, the 'lifetime' settings should be correct on my router.
Regarding your questions, I am using dynamic routing VPN gateway. Do you mean I have to enable DPD feature on my router or I can choose not to? What is your recommended interval for DPD (10-3600)?
From below article, another user had the same 'random disconnection' issue just as mine. MS support team advised him to lower down the MTU to 1350. I already make this change on my router and it didn't disconnect for 20 hours for now. Let's see if that helps.
I will keep you updated. Thanks.
http://social.msdn.microso
Thanks for your answer. So in your theory, the 'lifetime' settings should be correct on my router.
Regarding your questions, I am using dynamic routing VPN gateway. Do you mean I have to enable DPD feature on my router or I can choose not to? What is your recommended interval for DPD (10-3600)?
From below article, another user had the same 'random disconnection' issue just as mine. MS support team advised him to lower down the MTU to 1350. I already make this change on my router and it didn't disconnect for 20 hours for now. Let's see if that helps.
I will keep you updated. Thanks.
http://social.msdn.microso
Hi aschaef217,
Unfortunately the VPN disconnected AGAIN. This time it lasted for about 40 hours. So the MTU change deosn't help.
Regarding to the DPD feature, do you have recommendations of what to set?
Unfortunately the VPN disconnected AGAIN. This time it lasted for about 40 hours. So the MTU change deosn't help.
Regarding to the DPD feature, do you have recommendations of what to set?
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
I'm still looking to see what the best setting for DPD might be. I believe a 10 second interval is common to start at. One other question, under the azure gateway settings, is there an option to set it to a respond only gateway?
Hi aschaef217,
There's nothing we can configure on Azure's gateway. Do you think the 'response only' feature might affect? I see on Cisco device it can be changed in phase 2:
crypto ipsec profile <RP_IPSecProfile>
responder-only
There's nothing we can configure on Azure's gateway. Do you think the 'response only' feature might affect? I see on Cisco device it can be changed in phase 2:
crypto ipsec profile <RP_IPSecProfile>
responder-only
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
The issue was solved by changing the encryption from IKEv2 to IKEv1.
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
Routers
--
Questions
--
Followers
Top Experts
A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.