DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

IKE_RELEASE VPN errors to Cisco ASA Lan to Lan

  • marcusd
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
16 Jun 2020 10:07 #96413 by marcusd
Hi,

I have 6 clients with Draytek routers, mainly 2862n's. We're trying to use a VPN tunnel on them to dial in to a Cisco ASA cluster.
The tunnel is IKEv2, IPSEC with 256 AES and SHA, 86400 phase 1 lifetime, 28800 phase 2, PFS enabled, virtual IP mapping used.

All tunnels are stopping working with mainly IKE_RELEASE VPN errors being mailed to me. Some are at random times but most failures seem to coincide with 8 hour periods, which just happens to be 28,800 seconds as chooses for the IKE Phase 2 key lifetime.

What seems to happen is the key expires and won't re-issue correctly to any Draytek on any site, with any ISP. The tunnel shows that it's still up, but nothing will ping through it until it's dropped and re-dialled.

We've tried setting idle timeout to 0 and 300, ping to keep alive is disabled, although they run an application which polls the connection for new messages every 10 seconds, so idle timeout should not be an issue.

All have the latest firmware. Any ideas please folks?

Please Log in or Create an account to join the conversation.

  • marcusd
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
17 Jun 2020 08:43 #96420 by marcusd
For anyone interested, the issue looks resolved by lowering IKE to V1, and reducing security to ESP, AES256, SHA1, G2, 28,800, 28,800 and no PFS.

A shame really. We bought new routers to meet the IKEv2 standard and they're not capable of a stable connection with a Cisco ASA. We might as well have stuck with the original routers.

Please Log in or Create an account to join the conversation.

Moderators: Sami