Cisco ASA IKEv2 IPSec tunnel instability

Hi All,

I’ve been having a heck of a time trying to establish a stable IPSec tunnel from our ASA to the ZIA peer. We DO have the AES phase 2 feature enabled on our account, though we have tried NULL phase 2 (which was strangely a bit more stable).

What we’re seeing now is the tunnels will run for anywhere between 12 hours and 3-4 days, then just die. The don’t drop, but we cease to see return traffic from the ZIA peer; despite us continuing to transmit. We continue to send “interesting” traffic, we just stop getting anything back.

We’re well under the 8 SA limit too.

I have played with using IKEv1 and that too seemed more stable, but I’d really rather NOT use IKEv1. I’ve got like 10 ASA’s all doing the same thing.

Thanks for any insight.

Here’s a sanitized config snippit.

ASA version 9.14(1)15

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable

group-policy internal
group-policy attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev2
periodic-authentication certificate none

tunnel-group type ipsec-l2l
tunnel-group general-attributes
default-group-policy IKEv2_Site-to-Site
tunnel-group ipsec-attributes
peer-id-validate nocheck
isakmp keepalive threshold 20 retry 2
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

crypto ipsec ikev2 ipsec-proposal Zscaler-Proposal
protocol esp encryption aes-256 aes-192 aes
protocol esp integrity md5

crypto map outside_dataNEW_map1 64500 match address _cryptomap_8
crypto map outside_dataNEW_map1 64500 set peer
crypto map outside_dataNEW_map1 64500 set ikev2 ipsec-proposal Zscaler-Proposal
crypto map outside_dataNEW_map1 64500 set security-association lifetime seconds 28800
crypto map outside_dataNEW_map1 64500 set security-association lifetime kilobytes unlimited

Hi Tony ,

We are also experiencing this and I’m pulling my hair out . We have a couple of sites with checkpoint created IPSec null encryption tunnels through a couple of service provider ASAs . Tunnels have been up and we can see the traffic going out over the tunnel. On a client we cannot test connectivity using power shell and the port. ZS client connector captures show that we cannot connect to any of the zs ips . Eventually it will spring into life, it’s happened too many times. We also have GRE tunnels from a different site using other hardware and that appears stable. I currently have a call raised as it’s happened today .