ASA IPSec Ikev2 VPN tunnel down issue

preetpeethambaran — Thu, 16 Jul 2020 11:03:30 GMT

Need support, as we are facing issue with VPN tunnels which went down in ASA. Tunnel was up and was working fine, but suddenly it went down. Below are the error message i am getting on ASA firewall.

Need support to figure out this issue.

IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-2: attempting to find tunnel group for IP: 62.193.73.40
IKEv2-PLAT-2: mapped to tunnel group 62.193.73.40 using peer IP
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-2: my_auth_method = 2
IKEv2-PLAT-2: supported_peers_auth_method = 2
IKEv2-PLAT-2: P1 ID = 0
IKEv2-PLAT-2: Translating IKE_ID_AUTO to = 255
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-2: Received PFKEY SPI callback for SPI 0x5F3E7150, error FALSE
IKEv2-PLAT-2:
IKEv2 received a requested SPI from CTM and waiting for 5 more SPIs
IKEv2-PLAT-2: Received PFKEY SPI callback for SPI 0xD8BE34AF, error FALSE
IKEv2-PLAT-2:
IKEv2 received a requested SPI from CTM and waiting for 4 more SPIs
IKEv2-PLAT-2: Received PFKEY SPI callback for SPI 0xC8E638DD, error FALSE
IKEv2-PLAT-2:
IKEv2 received a requested SPI from CTM and waiting for 3 more SPIs
IKEv2-PLAT-2: Received PFKEY SPI callback for SPI 0x586654AF, error FALSE
IKEv2-PLAT-2:
IKEv2 received a requested SPI from CTM and waiting for 2 more SPIs
IKEv2-PLAT-2: Received PFKEY SPI callback for SPI 0x81D31FB5, error FALSE
IKEv2-PLAT-2:
IKEv2 received a requested SPI from CTM and waiting for 1 more SPIs
IKEv2-PLAT-2: Received PFKEY SPI callback for SPI 0x63593133, error FALSE
IKEv2-PLAT-2:
IKEv2 received all requested SPIs from CTM to initiate tunnel.
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-2: tp_name set to:
IKEv2-PLAT-2: tg_name set to: 62.193.73.40
IKEv2-PLAT-2: tunn grp type set to: L2L
IKEv2-PLAT-5: New ikev2 sa request admitted
IKEv2-PLAT-5: Incrementing outgoing negotiating sa count by one
IKEv2-PLAT-3: (974): SENT PKT [IKE_SA_INIT] [41.65.204.228]:500->[62.193.73.40]:500 InitSPI=0x020d81dc2ec6afd0 RespSPI=0x0000000000000000 MID=00000000

IKEv2 Recv RAW packet dump
02 0d 81 dc 2e c6 af d0 2e c3 fa b7 73 42 0d c4 | ............sB..
29 20 22 20 00 00 00 00 00 00 00 24 00 00 00 08 | ) " .......$....
01 00 00 0e | ....
IKEv2-PLAT-3: RECV PKT [IKE_SA_INIT] [62.193.73.40]:500->[41.65.204.228]:500 InitSPI=0x020d81dc2ec6afd0 RespSPI=0x2ec3fab773420dc4 MID=00000000
IKEv2-PLAT-5: Negotiating SA request deleted
IKEv2-PLAT-5: Decrement count for outgoing negotiating
IKEv2-PLAT-2: (974): PSH cleanup
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0x5F3E7150 error FALSE
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0xD8BE34AF error FALSE
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0xC8E638DD error FALSE
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0x586654AF error FALSE
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0x81D31FB5 error FALSE
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0x63593133 error FALSE
IKEv2-PLAT-2: Received PFKEY Acquire SA for SPI 0x0, error FALSE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-2: attempting to find tunnel group for IP: 62.193.73.40
IKEv2-PLAT-2: mapped to tunnel group 62.193.73.40 using peer IP
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-2: my_auth_method = 2
IKEv2-PLAT-2: supported_peers_auth_method = 2
IKEv2-PLAT-2: P1 ID = 0
IKEv2-PLAT-2: Translating IKE_ID_AUTO to = 255
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-2: Received PFKEY SPI callback for SPI 0xD224F1DF, error FALSE
IKEv2-PLAT-2:
IKEv2 received a requested SPI from CTM and waiting for 5 more SPIs
IKEv2-PLAT-2: Received PFKEY SPI callback for SPI 0x73A78E47, error FALSE
IKEv2-PLAT-2:
IKEv2 received a requested SPI from CTM and waiting for 4 more SPIs
IKEv2-PLAT-2: Received PFKEY SPI callback for SPI 0x10186562, error FALSE
IKEv2-PLAT-2:
IKEv2 received a requested SPI from CTM and waiting for 3 more SPIs
IKEv2-PLAT-2: Received PFKEY SPI callback for SPI 0x7F10A3FF, error FALSE
IKEv2-PLAT-2:
IKEv2 received a requested SPI from CTM and waiting for 2 more SPIs
IKEv2-PLAT-2: Received PFKEY SPI callback for SPI 0x869898E1, error FALSE
IKEv2-PLAT-2:
IKEv2 received a requested SPI from CTM and waiting for 1 more SPIs
IKEv2-PLAT-2: Received PFKEY SPI callback for SPI 0xB5857108, error FALSE
IKEv2-PLAT-2:
IKEv2 received all requested SPIs from CTM to initiate tunnel.
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-2: tp_name set to:
IKEv2-PLAT-2: tg_name set to: 62.193.73.40
IKEv2-PLAT-2: tunn grp type set to: L2L
IKEv2-PLAT-5: New ikev2 sa request admitted
IKEv2-PLAT-5: Incrementing outgoing negotiating sa count by one
IKEv2-PLAT-3: (975): SENT PKT [IKE_SA_INIT] [41.65.204.228]:500->[62.193.73.40]:500 InitSPI=0xc23347e2222776cc RespSPI=0x0000000000000000 MID=00000000

IKEv2 Recv RAW packet dump
c2 33 47 e2 22 27 76 cc d8 1b 84 86 93 1d 51 14 | .3G."'v.......Q.
29 20 22 20 00 00 00 00 00 00 00 24 00 00 00 08 | ) " .......$....
01 00 00 0e | ....
IKEv2-PLAT-3: RECV PKT [IKE_SA_INIT] [62.193.73.40]:500->[41.65.204.228]:500 InitSPI=0xc23347e2222776cc RespSPI=0xd81b8486931d5114 MID=00000000
IKEv2-PLAT-5: Negotiating SA request deleted
IKEv2-PLAT-5: Decrement count for outgoing negotiating
IKEv2-PLAT-2: (975): PSH cleanup
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0xD224F1DF error FALSE
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0x73A78E47 error FALSE
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0x10186562 error FALSE
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0x7F10A3FF error FALSE
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0x869898E1 error FALSE
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0xB5857108 error FALSE
IKEv2-PLAT-2: Received PFKEY Acquire SA for SPI 0x0, error FALSE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-2: attempting to find tunnel group for IP: 62.193.73.40
IKEv2-PLAT-2: mapped to tunnel group 62.193.73.40 using peer IP
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-2: my_auth_method = 2
IKEv2-PLAT-2: supported_peers_auth_method = 2
IKEv2-PLAT-2: P1 ID = 0
IKEv2-PLAT-2: Translating IKE_ID_AUTO to = 255
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-2: Received PFKEY SPI callback for SPI 0x4701E818, error FALSE
IKEv2-PLAT-2:
IKEv2 received a requested SPI from CTM and waiting for 5 more SPIs
IKEv2-PLAT-2: Received PFKEY SPI callback for SPI 0x6CF14D00, error FALSE
IKEv2-PLAT-2:
IKEv2 received a requested SPI from CTM and waiting for 4 more SPIs
IKEv2-PLAT-2: Received PFKEY SPI callback for SPI 0x4A4E81C9, error FALSE
IKEv2-PLAT-2:
IKEv2 received a requested SPI from CTM and waiting for 3 more SPIs
IKEv2-PLAT-2: Received PFKEY SPI callback for SPI 0x8D7B56D0, error FALSE
IKEv2-PLAT-2:
IKEv2 received a requested SPI from CTM and waiting for 2 more SPIs
IKEv2-PLAT-2: Received PFKEY SPI callback for SPI 0x70FE0DEF, error FALSE
IKEv2-PLAT-2:
IKEv2 received a requested SPI from CTM and waiting for 1 more SPIs
IKEv2-PLAT-2: Received PFKEY SPI callback for SPI 0x8D374785, error FALSE
IKEv2-PLAT-2:
IKEv2 received all requested SPIs from CTM to initiate tunnel.
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-2: tp_name set to:
IKEv2-PLAT-2: tg_name set to: 62.193.73.40
IKEv2-PLAT-2: tunn grp type set to: L2L
IKEv2-PLAT-5: New ikev2 sa request admitted
IKEv2-PLAT-5: Incrementing outgoing negotiating sa count by one
IKEv2-PLAT-3: (976): SENT PKT [IKE_SA_INIT] [41.65.204.228]:500->[62.193.73.40]:500 InitSPI=0x0f013f25474cd723 RespSPI=0x0000000000000000 MID=00000000

Re: ASA IPSec Ikev2 VPN tunnel down issue

Sheraz.Salim — Sun, 19 Jul 2020 15:22:27 GMT

Is your issue fixed? need more data to find out what cause an issue.

could you capture data and share with us.

    Debugs:

Debug crypto condition peer 62.193.73.40
Debug crypto ikev2 platform 255
Debug crypto ikev2 protocol 255
Debug crypto ipsec 255
 

    Capture:

Capture isa type isakmp interface outside match ip host 62.193.73.40 host (outside ASA ip address)

Re: ASA IPSec Ikev2 VPN tunnel down issue

preetpeethambaran — Wed, 19 Aug 2020 12:32:31 GMT

Thanks for the reply.
Issue is fixed - There was mismatch in Phase1 parameter on both sides.

Re: ASA IPSec Ikev2 VPN tunnel down issue

Yordan1 — Tue, 25 Jul 2023 09:00:29 GMT

What exactly was the problem? - the use of ikev1 instead of ikev2?

topic Re: ASA IPSec Ikev2 VPN tunnel down issue in Network Security

ASA IPSec Ikev2 VPN tunnel down issue

Re: ASA IPSec Ikev2 VPN tunnel down issue

Re: ASA IPSec Ikev2 VPN tunnel down issue

Re: ASA IPSec Ikev2 VPN tunnel down issue