DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
IKE_RELEASE VPN errors to Cisco ASA Lan to Lan
- marcusd
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 13
- Thank you received: 0
16 Jun 2020 10:07 #96413
by marcusd
IKE_RELEASE VPN errors to Cisco ASA Lan to Lan was created by marcusd
Hi,
I have 6 clients with Draytek routers, mainly 2862n's. We're trying to use a VPN tunnel on them to dial in to a Cisco ASA cluster.
The tunnel is IKEv2, IPSEC with 256 AES and SHA, 86400 phase 1 lifetime, 28800 phase 2, PFS enabled, virtual IP mapping used.
All tunnels are stopping working with mainly IKE_RELEASE VPN errors being mailed to me. Some are at random times but most failures seem to coincide with 8 hour periods, which just happens to be 28,800 seconds as chooses for the IKE Phase 2 key lifetime.
What seems to happen is the key expires and won't re-issue correctly to any Draytek on any site, with any ISP. The tunnel shows that it's still up, but nothing will ping through it until it's dropped and re-dialled.
We've tried setting idle timeout to 0 and 300, ping to keep alive is disabled, although they run an application which polls the connection for new messages every 10 seconds, so idle timeout should not be an issue.
All have the latest firmware. Any ideas please folks?
I have 6 clients with Draytek routers, mainly 2862n's. We're trying to use a VPN tunnel on them to dial in to a Cisco ASA cluster.
The tunnel is IKEv2, IPSEC with 256 AES and SHA, 86400 phase 1 lifetime, 28800 phase 2, PFS enabled, virtual IP mapping used.
All tunnels are stopping working with mainly IKE_RELEASE VPN errors being mailed to me. Some are at random times but most failures seem to coincide with 8 hour periods, which just happens to be 28,800 seconds as chooses for the IKE Phase 2 key lifetime.
What seems to happen is the key expires and won't re-issue correctly to any Draytek on any site, with any ISP. The tunnel shows that it's still up, but nothing will ping through it until it's dropped and re-dialled.
We've tried setting idle timeout to 0 and 300, ping to keep alive is disabled, although they run an application which polls the connection for new messages every 10 seconds, so idle timeout should not be an issue.
All have the latest firmware. Any ideas please folks?
Please Log in or Create an account to join the conversation.
- marcusd
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 13
- Thank you received: 0
17 Jun 2020 08:43 #96420
by marcusd
Replied by marcusd on topic Re: IKE_RELEASE VPN errors to Cisco ASA Lan to Lan
For anyone interested, the issue looks resolved by lowering IKE to V1, and reducing security to ESP, AES256, SHA1, G2, 28,800, 28,800 and no PFS.
A shame really. We bought new routers to meet the IKEv2 standard and they're not capable of a stable connection with a Cisco ASA. We might as well have stuck with the original routers.
A shame really. We bought new routers to meet the IKEv2 standard and they're not capable of a stable connection with a Cisco ASA. We might as well have stuck with the original routers.
Please Log in or Create an account to join the conversation.
Moderators: Sami
Copyright © 2024 DrayTek