I’ve been having a heck of a time trying to establish a stable IPSec tunnel from our ASA to the ZIA peer. We DO have the AES phase 2 feature enabled on our account, though we have tried NULL phase 2 (which was strangely a bit more stable).
What we’re seeing now is the tunnels will run for anywhere between 12 hours and 3-4 days, then just die. The don’t drop, but we cease to see return traffic from the ZIA peer; despite us continuing to transmit. We continue to send “interesting” traffic, we just stop getting anything back.
We’re well under the 8 SA limit too.
I have played with using IKEv1 and that too seemed more stable, but I’d really rather NOT use IKEv1. I’ve got like 10 ASA’s all doing the same thing.
Thanks for any insight.
Here’s a sanitized config snippit.
ASA version 9.14(1)15
crypto ikev2 policy 1
group 5 2
lifetime seconds 86400
crypto ikev2 enable
periodic-authentication certificate none
tunnel-group type ipsec-l2l
isakmp keepalive threshold 20 retry 2
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
crypto ipsec ikev2 ipsec-proposal Zscaler-Proposal
protocol esp encryption aes-256 aes-192 aes
protocol esp integrity md5
crypto map outside_dataNEW_map1 64500 match address _cryptomap_8
crypto map outside_dataNEW_map1 64500 set peer
crypto map outside_dataNEW_map1 64500 set ikev2 ipsec-proposal Zscaler-Proposal
crypto map outside_dataNEW_map1 64500 set security-association lifetime seconds 28800
crypto map outside_dataNEW_map1 64500 set security-association lifetime kilobytes unlimited