cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

VPN issue with IKEv2 and Cisco ASA

Hi,

Last week we upgraded our security gateway from R77.30 to R80.20. After this upgrade, we lost connectivity with one of our VPNs. This VPN is with a third party gateway, a Cisco ASA and we are using IKEv2.

The issue is weird and I've isolated the following things:

1)If the negotiation is triggered on the ASA side, everything works as expected (so, as a workaround, they are bouncing the tunnel on their side, generating traffic to us (if we are the first to generate traffic it won't work) and that's allowing us to connect)

2)If we initiate the connection, we are unable to reach the other side of the VPN but, they are able to reach our network. So traffic generated on their side of the VPN always reaches us without issues.

3)Child SAs are only being negotiated on re-keys, I'm assuming the first time they are created is under the AUTH packet, as per the RFC.

 

I have a case opened with TAC, but so far no meaningful replies. I can also share the vpnd.elg files, as well as the ikev2.xmll files if you are interested in taking a look at that.

 

Thanks

0 Kudos
8 Replies

Re: VPN issue with IKEv2 and Cisco ASA

Two guesses:

1) You had a custom subnet_for_range_and_peer directive defined in the $FWDIR/conf/user.def.R77CMP file on your SMS, and when the gateway was upgraded to R80.10+ this file no longer applied.  Any special directives in the old file need to be copied to the $FWDIR/conf/user.def.FW1 file on the SMS and policy reinstalled to apply to the new gateway version.  sk98239: Location of 'user.def' files on Security Management Server

2) You had a custom kernel definition affecting the VPN in the $FWDIR/boot/modules/fwkern.conf, $FWDIR/boot/modules/vpnkern.conf or $PPKDIR/boot/conf/simkern.conf file(s) on the upgraded gateway itself that did not survive the upgrade process.

If it is neither of those things, try disabling SecureXL VPN acceleration for that peer and see if it impacts the issue: sk151114: "fwaccel off" does not affect disabling acceleration of VPN tunnels in R80.20 and above

Also watch out for sk116776: Instability issues in VPN Tunnel with Cisco using IKEv2

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos

Re: VPN issue with IKEv2 and Cisco ASA

Hi Timothy,

 

So, you definitively have something there... When this tunnel was created, an entry was indeed added to the user.def file. However, this was done in a different file location than the one mentioned on sk98239. We have an MDS, but according to the SK the file shouldn't be defined here. The subnet_for_range_and_peer was defined under /var/opt/CPmds-R80.20/conf/user.def.R77CMP. I have since tried to remove this entry an add it to the correct location, under /opt/CPmds-R80.20/customers/<CMA-NAME>/CPsuite-R80.20/fw1/conf/user.def.FW1, installed policy but no success. I've also tried to add this entry under  /var/opt/CPmds-R80.20/conf/user.def.FW1, also without success. I did run the fw tab -t subnet_for_range_and_peer which shows the correct entry for this VPN on the gateway after installing policy, however, I was still experiencing the same issues.

I've tried disabled fwaccel as well as vpn accel without success. As far as custom kernel definitions go, I checked and couldn't find any...

 

I believe that the issue causing this is related with the user.def files. I'll redirect the support to that, but if you could provide some insight as to why this is still happening, despite the fact that I've moved the definitions, I'd appreciate that.

 

Thanks!

 

0 Kudos

Re: VPN issue with IKEv2 and Cisco ASA

I'm assuming for VPN Tunnel Sharing in the community settings you have it set to "one tunnel per subnet".  As a test try setting it to "one tunnel per pair of hosts" and reinstalling policy.  If the problem goes away you have confirmed that it is indeed a subnet/selector issue and not something else.  In general it is not a good idea to leave it set to "pair of hosts" as a large number of IPSec tunnels can be generated.

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos

Re: VPN issue with IKEv2 and Cisco ASA

I agree. And if I recall correctly, we tried that when we were first setting up the tunnel and it worked.

 

I'll raise a change to test that but, as you've said, this is not an ideal solution. If this works, what can we do to use "one tunnel per subnet"?

 

Thanks

0 Kudos

Re: VPN issue with IKEv2 and Cisco ASA

You'll probably need to work with TAC and figure out why your subnet-per-peer directive is not working properly as that should definitely work with IKEv2.  Because the directive is showing up on the gateway's tables, it sounds like you have it defined in the correct user.def* instance on the MDS/SMS/Domain. 

You can use "pair of hosts" permanently, but only if you have just a few hosts on each end that need to use the tunnel *and* the Firewall/Network Policy Layer is sufficiently locked down to prevent large amount of tunnels from starting.  With "pair of hosts" a separate IPSec/Phase 2 tunnel is started for every combination of host IP addresses (/32's) that are allowed to communicate.  So if two Class C networks are using the tunnel and the rulebase allows the entirety of the networks to communicate with each other, in theory over 65,000 separate tunnels could try to start which will quickly bang against the soft limit of 10,000 concurrent tunnels and cause intermittent VPN connectivity.  If PFS is enabled a separate computationally-expensive Diffie Hellman calculation will occur for each and every IPSec/Phase 2 tunnel which will cause a massive amount of firewall CPU overhead and further problems.

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos

Re: VPN issue with IKEv2 and Cisco ASA

I'm already working with TAC on that. I'll post updates here once I have them. Do you have any ideas on how to troubleshoot this? I guess I could run a kernel debug and checkout vpnd.elg after correcting the user.def file, and maybe see if I'm missing something.

 

Thanks for you help so far!

0 Kudos

Re: VPN issue with IKEv2 and Cisco ASA

All IKE negotiations take place in process space via vpnd on the firewall, so you'll need to debug vpnd (vpnd.elg) and probably turn on IKE debugging which is output to ikev2.xmll.  I don't think you'll need to perform kernel-level debugging for this issue, at least not initially.

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos

Re: VPN issue with IKEv2 and Cisco ASA

Hi,

 

So, we've isolated the issue. Apparently the ASA was erroneously detecting the need to use NAT-T during the IKE_INIT phase, when we started the communication. My guess is that, when the ASA initiated the communication, it did so by negotiating NAT-T with us (the checkpoint is configured to support NAT-T) and that would establish the tunnel successfully and allow communication.

 

The ASA was on version 9.8, for future reference.