Hello Laz,
Thanks for reading me. I took some debugs about the whole issue and found this:
type or pasteSep 21 15:06:59.986: IPSEC:(SESSION ID = 16225) (ident_save_delete_notify_kmi) updated peer 85.205.30.159 current outbound sa to SPI 0
Sep 21 15:06:59.987: IPSEC:(SESSION ID = 16225) (delete_sa) deleting SA,
(sa) sa_dest= 10.28.56.71, sa_proto= 50,
sa_spi= 0x8F226333(2401395507),
sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 7583
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 10.28.56.71:0, remote= 85.205.30.159:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0
Sep 21 15:06:59.987: IPSEC:(SESSION ID = 16225) (delete_sa) SA found saving DEL kmi
Sep 21 15:06:59.988: IPSEC:(SESSION ID = 16225) (delete_sa) deleting SA,
(sa) sa_dest= 85.205.30.159, sa_proto= 50,
sa_spi= 0x91A7BD02(2443689218),
sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 7584
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 10.28.56.71:0, remote= 85.205.30.159:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0
Sep 21 15:06:59.988: IPSEC:(SESSION ID = 16225) (update_current_outbound_sa) updated peer 85.205.30.159 current outbound sa to SPI 0
Sep 21 15:06:59.988: IPSEC:(SESSION ID = 16225) (delete_sa) SA found saving DEL kmi
Sep 21 15:06:59.988: IPSEC(sibling_delete_notify_ident_action): Ident down, not sending DECR/DELETE
Sep 21 15:06:59.989: ipsec_out_sa_hash_idx: sa=0x7F78D36B9D00, hash_idx=401, port=4500/4500, addr=0x0A1C3847/0x55CD1E9F
Sep 21 15:06:59.991: IPSEC:(SESSION ID = 16225) (ident_update_final_flow_stats) Collect Final Stats and update MIB
IPSEC get IKMP peer index from peer 0x7F78D36B6B70 ikmp handle 0x0
[ident_update_final_flow_stats] : Flow delete complete event received for flow id 0x240015CF,peer index 0
Sep 21 15:06:59.994: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Sep 21 15:06:59.994: IDB is NULL : in crypto_ipsec_key_engine_delete_sas (), 6145
Sep 21 15:06:59.994: IPSEC:(SESSION ID = 16225) (key_engine_delete_sas) rec'd delete notify from ISAKMP
Sep 21 15:06:59.994: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Sep 21 15:06:59.994: IDB is NULL : in crypto_ipsec_key_engine_delete_sas (), 6145
Sep 21 15:06:59.994: IPSEC:(SESSION ID = 16225) (key_engine_delete_sas) rec'd delete notify from ISAKMP
Sep 21 15:07:00.012: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Sep 21 15:07:00.012: IDB is NULL : in crypto_ipsec_key_engine_delete_sas (), 6145
Sep 21 15:07:00.012: IPSEC:(SESSION ID = 16225) (key_engine_delete_sas) rec'd delete notify from ISAKMP
Sep 21 15:07:00.012: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Sep 21 15:07:00.012: IDB is NULL : in crypto_ipsec_key_engine_delete_sas (), 6145
Sep 21 15:07:00.012: IPSEC:(SESSION ID = 16225) (key_engine_delete_sas) rec'd delete notify from ISAKMP
Sep 21 15:07:01.984: %LINK-5-CHANGED: Interface Tunnel50, changed state to administratively down
Sep 21 15:07:02.173: insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb
Sep 21 15:07:02.174: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.28.56.71:500, remote= 85.205.30.159:500,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= ESP, transform= esp-aes 256 esp-sha256-hmac (Tunnel), esn= FALSE,
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Sep 21 15:07:02.227: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Sep 21 15:07:02.227: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 10.28.56.71:0, remote= 85.205.30.159:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= ESP, transform= esp-aes 256 esp-sha256-hmac (Tunnel), esn= FALSE,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Sep 21 15:07:02.228: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 0.0.0.0
protocol : 0
src port : 0
dst port : 0
Sep 21 15:07:02.228: (ipsec_process_proposal)Map Accepted: Tunnel50-head-0, 65537
Sep 21 15:07:02.228: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Sep 21 15:07:02.228: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 0.0.0.0
protocol : 256
src port : 0
dst port : 0
Sep 21 15:07:02.228: IPSEC:(SESSION ID = 16382) (crypto_ipsec_create_ipsec_sas) Map found Tunnel50-head-0, 65537
Sep 21 15:07:02.228: IPSEC:(SESSION ID = 16382) (crypto_ipsec_sa_find_ident_head) reconnecting with the same proxies and peer 85.205.30.159
Sep 21 15:07:02.229: IPSEC:(SESSION ID = 16382) (get_old_outbound_sa_for_peer) No outbound SA found for peer 7F78D36B6B70
Sep 21 15:07:02.229: IPSEC:(SESSION ID = 16382) (create_sa) sa created,
(sa) sa_dest= 10.28.56.71, sa_proto= 50, code here
Seems to be a phase 1 issue, correct?
After taking the debugs, I talked to the engineer who is the direct responsible of the router and he responded:
I have to flap the interface or admin shut it and no shut for the interface to reset and come up along with the BGP. We use those IPs for BGP because the CSR is in an AWS cloud environment and it works for the other IPS we are connected to. If you look at the time from when the interface comes up to the time it shuts it is an hour exactly.
From the previous logs, I am not sure if this might be related to a local interface problem or the VPN. What would you suggest me to investigate?
Thanks again!