IKEV2 to Cisco rekeying every 11 seconds[SOLVED]

Digi TransPort WR (Series)
, ,
1

Hi All:

I am terminating IKEV2 IPSec tunnels with a Cisco ISR4431 and WR21 routers.
The is the WR21 eventlog:
12:38:44, 15 Oct 2020,(7) New IKEv2 Negotiation peer 103.205.244.106,Responder (Info)
12:38:33, 15 Oct 2020,(7) IKEv2 Negotiation completed pe,Responder
12:38:33, 15 Oct 2020,(7) New IKEv2 Negotiation peer 103.205.244.106,Responder (Info)
12:38:23, 15 Oct 2020,(7) IKEv2 Negotiation completed pe,Responder
12:38:23, 15 Oct 2020,(7) New IKEv2 Negotiation peer 103.205.244.106,Responder (Info)
12:38:12, 15 Oct 2020,(7) IKEv2 Negotiation completed pe,Responder
12:38:12, 15 Oct 2020,(7) New IKEv2 Negotiation peer 103.205.244.106,Responder (Info)
12:38:02, 15 Oct 2020,(7) IKEv2 Negotiation completed pe,Initiator

The WR21 is initiating a rekeying every 11 seconds.

How do I stop this?
I have set the rekey interval for ikev2 and IPSec on the Cisco at 14400 seconds and disabled rekeying on bytes transferred…so I know its not the Cisco doing this.

On WR21 I have set the IKEV2 to renegotiate after 4 hours and rekey after 2 hours…
But as you can see above, its doing it every 11 seconds.

Any tips on how I can get the WR21 to stop asking for the rekeying so often?

Model: WR21
Part Number: WR21-M72B-DE1-SB
Ethernet 0 MAC Address: 00:04:2d:0e:20:28
Serial: 925736

Firmware Version: 8.2.0.2 (Aug 20 2020 17:00:53)
SBIOS Version: 7.67u
Build Version: WW
HW Version: 1207a

Cheers,
John

2

So this continues to be an issue.
I have 20 WR21 units deployed and they are all doing this:
11:48:31, 20 Oct 2020,(28) IKEv2 Negotiation completed pe,Responder
11:48:31, 20 Oct 2020,(28) New IKEv2 Negotiation peer 103.205.244.106,Responder (Info)
11:48:23, 20 Oct 2020,(29) IKEv2 Negotiation completed pe,Responder
11:48:23, 20 Oct 2020,(29) New IKEv2 Negotiation peer 103.205.244.106,Responder (Info)
11:48:21, 20 Oct 2020,(28) IKEv2 Negotiation completed pe,Responder
11:48:21, 20 Oct 2020,(28) New IKEv2 Negotiation peer 103.205.244.106,Responder (Info)
11:48:12, 20 Oct 2020,(29) IKEv2 Negotiation completed pe,Responder
11:48:12, 20 Oct 2020,(29) New IKEv2 Negotiation peer 103.205.244.106,Responder (Info)
11:48:10, 20 Oct 2020,(28) IKEv2 Negotiation completed pe,Responder
11:48:10, 20 Oct 2020,(28) New IKEv2 Negotiation peer 103.205.244.106,Responder (Info)
11:48:02, 20 Oct 2020,(29) IKEv2 Negotiation completed pe,Responder
11:48:02, 20 Oct 2020,(29) New IKEv2 Negotiation peer 103.205.244.106,Responder (Info)
11:47:59, 20 Oct 2020,(28) IKEv2 Negotiation completed pe,Responder
11:47:59, 20 Oct 2020,(28) New IKEv2 Negotiation peer 103.205.244.106,Responder (Info)

I’d like some advice on how/why this is happening and work around to stop it.
The Cisco debug doesn’t show anything about this so wondering what the WR21 is on about.

Cheers,
john

3

Ok, I have confirmed that the Event log messages are generated from dpd messages sent from the Cisco.
I have confirmed this by changing the Cisco settings and it was reflected in the WR21 event log.

So, how can I setup the event log to ignore those messages?

Cheers,
John

4

Ok, so…
The massages I want to filter are:
174-1, IKEv2 Negotiation completed pe,Responder
173-1, New IKEv2 Negotiation peer 103.205.244.106,Responder (Info)

Do I have those correct?

To filter these I use:
event 0 ev_filter 174,1
event 0 ev_filter 173,1

But neither of those worked.
I don’t want to filter all the 174 messages, just the 174,1…similar to the 173.

Is there anyway to do that?

There is another issue at play here…
Why is the Digi lodging a DPD message from the Cisco as a “Negotiation Completed” event when its just a DPD message?

Cheers,
john

5

This turned out NOT to be rekeying, the Digi logged an event as below when it got a DPD packet from the Cisco. The Neg complete message is inaccurate and one wonders WHY its generating events on DPD packets.

Anyhow, this is solved.

Cheers,
john