https://community.cisco.com/t5/network-security/establishing-direct-ipsec-v6-tunnel-between-cisco-csr-and-nsx-ep/m-p/4535509#M1086636 <P>I'm trying to establish IPv6 in IPv6 direct tunnels between Cisco CSR router and NSX-EP. I see phase1 negotiation succeeds but phase2 negotiation fails with following error:<BR /><BR />Jan 20 20:24:51.512: IKEv2:(SESSION ID = 28799,SA ID = 2):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started<BR />*Jan 20 20:24:51.512: IKEv2:(SESSION ID = 28799,SA ID = 2):Session with IKE ID PAIR (FD00:1:1:1::2, FD00:BBBB:1:11::1) is UP<BR />*Jan 20 20:24:51.512: IKEv2:IKEv2 MIB tunnel started, tunnel index 2<BR />*Jan 20 20:24:51.512: IKEv2:(SESSION ID = 28799,SA ID = 2):Load IPSEC key material<BR />*Jan 20 20:24:51.512: IKEv2:(SA ID = 2):[IKEv2 -&gt; IPsec] Create IPsec SA into IPsec database<BR />*Jan 20 20:24:51.512: IPSEC(key_engine): got a queue event with 1 KMI message(s)<BR />*Jan 20 20:24:51.513: IPSEC:(SESSION ID = 28799) (crypto_ipsec_create_ipsec_sas) Map found Tunnel11-head-0, 65537<BR />*Jan 20 20:24:51.513: crypto_engine: Generate IKEv2 keying<BR />*Jan 20 20:24:51.513: crypto_engine_ipsec_key_create_by_keys: Error: unsupported capability IPv6 and UDP-encaps<BR />*Jan 20 20:24:51.513: IPSEC:(SESSION ID = 28799) (get_old_outbound_sa_for_peer) No outbound SA found for peer 7FA9A9926BB8<BR />*Jan 20 20:24:51.513: IPSEC:(SESSION ID = 28799) (update_current_outbound_sa) updated peer FD00:1:1:1::2 current outbound sa to SPI 0<BR />*Jan 20 20:24:51.513: IPSEC(send_delete_notify_kmi): ASSERT FAILED: Decrement count mismatch for sibling :7FA9A98F5778<BR />*Jan 20 20:24:51.513: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS<BR />*Jan 20 20:24:51.513: crypto engine: deleting IPSec SA ???<BR />*Jan 20 20:24:51.513: delete_ipsec_sa: no such crypto engine<BR />*Jan 20 20:24:51.513: crypto engine: deleting IPSec SA ???<BR />*Jan 20 20:24:51.513: delete_ipsec_sa: no such crypto engine<BR />*Jan 20 20:24:51.513: IPSEC(ident_send_delete_notify_kmi): not in msg context Ident Delete SA msg: 0<BR />*Jan 20 20:24:51.513: IKEv2:(SA ID = 2):[IPsec -&gt; IKEv2] Creation of IPsec SA into IPsec database FAILED<BR />*Jan 20 20:24:51.515: IKEv2:(SESSION ID = 28799,SA ID = 2):: Creation/Installation of IPsec SA into IPsec DB failed<BR />*Jan 20 20:24:51.515: IKEv2:(SESSION ID = 28799,SA ID = 2):Queuing IKE SA delete request reason: unknown<BR />*Jan 20 20:24:51.515: IKEv2:(SESSION ID = 28799,SA ID = 2):Sending DELETE INFO message for IPsec SA [SPI: 0xDE324A31]<BR />*Jan 20 20:24:51.515: IKEv2:(SESSION ID = 28799,SA ID = 2):Building packet for encryption.<BR />Payload contents:<BR /><BR />Can someone throw some light into it.<BR /><BR /></P> Fri, 21 Jan 2022 04:11:14 GMT somj.shukla 2022-01-21T04:11:14Z https://community.cisco.com/t5/network-security/establishing-direct-ipsec-v6-tunnel-between-cisco-csr-and-nsx-ep/m-p/4535509#M1086636 <P>I'm trying to establish IPv6 in IPv6 direct tunnels between Cisco CSR router and NSX-EP. I see phase1 negotiation succeeds but phase2 negotiation fails with following error:<BR /><BR />Jan 20 20:24:51.512: IKEv2:(SESSION ID = 28799,SA ID = 2):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started<BR />*Jan 20 20:24:51.512: IKEv2:(SESSION ID = 28799,SA ID = 2):Session with IKE ID PAIR (FD00:1:1:1::2, FD00:BBBB:1:11::1) is UP<BR />*Jan 20 20:24:51.512: IKEv2:IKEv2 MIB tunnel started, tunnel index 2<BR />*Jan 20 20:24:51.512: IKEv2:(SESSION ID = 28799,SA ID = 2):Load IPSEC key material<BR />*Jan 20 20:24:51.512: IKEv2:(SA ID = 2):[IKEv2 -&gt; IPsec] Create IPsec SA into IPsec database<BR />*Jan 20 20:24:51.512: IPSEC(key_engine): got a queue event with 1 KMI message(s)<BR />*Jan 20 20:24:51.513: IPSEC:(SESSION ID = 28799) (crypto_ipsec_create_ipsec_sas) Map found Tunnel11-head-0, 65537<BR />*Jan 20 20:24:51.513: crypto_engine: Generate IKEv2 keying<BR />*Jan 20 20:24:51.513: crypto_engine_ipsec_key_create_by_keys: Error: unsupported capability IPv6 and UDP-encaps<BR />*Jan 20 20:24:51.513: IPSEC:(SESSION ID = 28799) (get_old_outbound_sa_for_peer) No outbound SA found for peer 7FA9A9926BB8<BR />*Jan 20 20:24:51.513: IPSEC:(SESSION ID = 28799) (update_current_outbound_sa) updated peer FD00:1:1:1::2 current outbound sa to SPI 0<BR />*Jan 20 20:24:51.513: IPSEC(send_delete_notify_kmi): ASSERT FAILED: Decrement count mismatch for sibling :7FA9A98F5778<BR />*Jan 20 20:24:51.513: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS<BR />*Jan 20 20:24:51.513: crypto engine: deleting IPSec SA ???<BR />*Jan 20 20:24:51.513: delete_ipsec_sa: no such crypto engine<BR />*Jan 20 20:24:51.513: crypto engine: deleting IPSec SA ???<BR />*Jan 20 20:24:51.513: delete_ipsec_sa: no such crypto engine<BR />*Jan 20 20:24:51.513: IPSEC(ident_send_delete_notify_kmi): not in msg context Ident Delete SA msg: 0<BR />*Jan 20 20:24:51.513: IKEv2:(SA ID = 2):[IPsec -&gt; IKEv2] Creation of IPsec SA into IPsec database FAILED<BR />*Jan 20 20:24:51.515: IKEv2:(SESSION ID = 28799,SA ID = 2):: Creation/Installation of IPsec SA into IPsec DB failed<BR />*Jan 20 20:24:51.515: IKEv2:(SESSION ID = 28799,SA ID = 2):Queuing IKE SA delete request reason: unknown<BR />*Jan 20 20:24:51.515: IKEv2:(SESSION ID = 28799,SA ID = 2):Sending DELETE INFO message for IPsec SA [SPI: 0xDE324A31]<BR />*Jan 20 20:24:51.515: IKEv2:(SESSION ID = 28799,SA ID = 2):Building packet for encryption.<BR />Payload contents:<BR /><BR />Can someone throw some light into it.<BR /><BR /></P> Fri, 21 Jan 2022 04:11:14 GMT https://community.cisco.com/t5/network-security/establishing-direct-ipsec-v6-tunnel-between-cisco-csr-and-nsx-ep/m-p/4535509#M1086636 somj.shukla 2022-01-21T04:11:14Z