Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1645
Views
0
Helpful
1
Replies

CSCuy39186 - IKEv2 S2S tunnel does not come up because previous sa not deleted

ESPSystex
Level 1
Level 1

‎01-18-2019 03:48 AM - edited ‎01-18-2019 04:00 AM

Anyone else still experiencing this bug? We have a tunnel between two 5525X running 9.6.4 with one side showing this bug, we also had this in 9.6.0 and 9.6.2. The current 9.6.4 has been running our ASA's (we have 12) for just over 6 months with no issues, then out of the blue one of them is showing the same duplicate SA bug as we have experienced in the past.

 

Logs (IP's changed for privacy):

 

2019-01-18 00:04:57 Local4.Debug 192.168.1.1 Jan 17 2019 23:59:34: %ASA-7-751003: Local:1.1.1.1:500 Remote:2.2.2.2:500 Username:2.2.2.2 IKEv2 Need to send a DPD message to peer
2019-01-18 00:04:57 Local4.Debug 192.168.1.1 Jan 17 2019 23:59:35: %ASA-7-713906: IKE Receiver: Packet received on 1.1.1.1:500 from 2.2.2.2:500
2019-01-18 00:05:00 Local4.Debug 192.168.1.1 Jan 17 2019 23:59:37: %ASA-7-713906: IKE Receiver: Packet received on 1.1.1.1:500 from 2.2.2.2:500
2019-01-18 00:09:57 Local4.Debug 192.168.1.1 Jan 18 2019 00:04:34: %ASA-7-751003: Local:1.1.1.1:500 Remote:2.2.2.2:500 Username:2.2.2.2 IKEv2 Need to send a DPD message to peer
2019-01-18 00:09:57 Local4.Debug 192.168.1.1 Jan 18 2019 00:04:35: %ASA-7-713906: IKE Receiver: Packet received on 1.1.1.1:500 from 2.2.2.2:500
2019-01-18 00:10:00 Local4.Debug 192.168.1.1 Jan 18 2019 00:04:37: %ASA-7-713906: IKE Receiver: Packet received on 1.1.1.1:500 from 2.2.2.2:500
2019-01-18 00:13:27 Local4.Debug 192.168.1.1 Jan 18 2019 00:08:04: %ASA-7-751003: Local:1.1.1.1:500 Remote:2.2.2.2:500 Username:2.2.2.2 IKEv2 Need to send a DPD message to peer
2019-01-18 00:13:48 Local4.Notice 192.168.1.1 Jan 18 2019 00:08:25: %ASA-5-750007: Local:1.1.1.1:500 Remote:2.2.2.2:500 Username:2.2.2.2 IKEv2 SA DOWN. Reason: peer lost
2019-01-18 00:13:48 Local4.Info 192.168.1.1 Jan 18 2019 00:08:25: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xC5564744) between 1.1.1.1 and 2.2.2.2 (user= 2.2.2.2) has been deleted.
2019-01-18 00:13:48 Local4.Info 192.168.1.1 Jan 18 2019 00:08:25: %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x170EDD8B) between 2.2.2.2 and 1.1.1.1 (user= 2.2.2.2) has been deleted.
2019-01-18 00:13:48 Local4.Info 192.168.1.1 Jan 18 2019 00:08:25: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xE9269F7C) between 1.1.1.1 and 2.2.2.2 (user= 2.2.2.2) has been deleted.
2019-01-18 00:13:48 Local4.Info 192.168.1.1 Jan 18 2019 00:08:25: %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xF4A412DD) between 2.2.2.2 and 1.1.1.1 (user= 2.2.2.2) has been deleted.
2019-01-18 00:13:48 Local4.Notice 192.168.1.1 Jan 18 2019 00:08:25: %ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = Outside_DIA_map2. Map Sequence Number = 2.
2019-01-18 00:13:48 Local4.Notice 192.168.1.1 Jan 18 2019 00:08:25: %ASA-5-750001: Local:1.1.1.1:500 Remote:2.2.2.2:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 192.168.1.111-192.168.1.111 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 192.168.2.161-192.168.2.161 Protocol: 0 Port Range: 0-65535
2019-01-18 00:13:53 Local4.Debug 192.168.1.1 Jan 18 2019 00:08:30: %ASA-7-752008: Duplicate entry already in Tunnel Manager
2019-01-18 00:13:58 Local4.Debug 192.168.1.1 Jan 18 2019 00:08:35: %ASA-7-752008: Duplicate entry already in Tunnel Manager
2019-01-18 00:14:03 Local4.Debug 192.168.1.1 Jan 18 2019 00:08:40: %ASA-7-752008: Duplicate entry already in Tunnel Manager
2019-01-18 00:14:07 Local4.Notice 192.168.1.1 Jan 18 2019 00:08:44: %ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = Outside_DIA_map2. Map Sequence Number = 2.
2019-01-18 00:14:07 Local4.Notice 192.168.1.1 Jan 18 2019 00:08:44: %ASA-5-750001: Local:1.1.1.1:500 Remote:2.2.2.2:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 192.168.1.159-192.168.1.159 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 10.1.1.81-10.1.1.81 Protocol: 0 Port Range: 0-65535
2019-01-18 00:14:07 Local4.Debug 192.168.1.1 Jan 18 2019 00:08:44: %ASA-7-752002: Tunnel Manager Removed entry. Map Tag = Outside_DIA_map2. Map Sequence Number = 2.
2019-01-18 00:14:07 Local4.Debug 192.168.1.1 Jan 18 2019 00:08:45: %ASA-7-713906: IKE Receiver: Packet received on 1.1.1.1:500 from 2.2.2.2:500
2019-01-18 00:14:08 Local4.Debug 192.168.1.1 Jan 18 2019 00:08:45: %ASA-7-752008: Duplicate entry already in Tunnel Manager
2019-01-18 00:14:10 Local4.Debug 192.168.1.1 Jan 18 2019 00:08:48: %ASA-7-713906: IKE Receiver: Packet received on 1.1.1.1:500 from 2.2.2.2:500
2019-01-18 00:14:13 Local4.Debug 192.168.1.1 Jan 18 2019 00:08:50: %ASA-7-752008: Duplicate entry already in Tunnel Manager
2019-01-18 00:14:13 Local4.Debug 192.168.1.1 Jan 18 2019 00:08:51: %ASA-7-713906: IKE Receiver: Packet received on 1.1.1.1:500 from 2.2.2.2:500
2019-01-18 00:14:16 Local4.Notice 192.168.1.1 Jan 18 2019 00:08:53: %ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = Outside_DIA_map2. Map Sequence Number = 2.
2019-01-18 00:14:16 Local4.Notice 192.168.1.1 Jan 18 2019 00:08:53: %ASA-5-750001: Local:1.1.1.1:500 Remote:2.2.2.2:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 192.168.1.159-192.168.1.159 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 10.1.1.81-10.1.1.81 Protocol: 0 Port Range: 0-65535
2019-01-18 00:14:16 Local4.Debug 192.168.1.1 Jan 18 2019 00:08:53: %ASA-7-752002: Tunnel Manager Removed entry. Map Tag = Outside_DIA_map2. Map Sequence Number = 2.
2019-01-18 00:14:16 Local4.Debug 192.168.1.1 Jan 18 2019 00:08:53: %ASA-7-713906: IKE Receiver: Packet received on 1.1.1.1:500 from 2.2.2.2:500
2019-01-18 00:14:16 Local4.Debug 192.168.1.1 Jan 18 2019 00:08:53: %ASA-7-713906: IKE Receiver: Packet received on 1.1.1.1:500 from 2.2.2.2:500
2019-01-18 00:14:16 Local4.Notice 192.168.1.1 Jan 18 2019 00:08:53: %ASA-5-750006: Local:1.1.1.1:500 Remote:2.2.2.2:500 Username:2.2.2.2 IKEv2 SA UP. Reason: New Connection Established
2019-01-18 00:14:16 Local4.Info 192.168.1.1 Jan 18 2019 00:08:53: %ASA-6-113009: AAA retrieved default group policy (GroupPolicy1) for user = 2.2.2.2
2019-01-18 00:14:16 Local4.Notice 192.168.1.1 Jan 18 2019 00:08:53: %ASA-5-752016: IKEv2 was successful at setting up a tunnel. Map Tag = Outside_DIA_map2. Map Sequence Number = 2.
2019-01-18 00:14:16 Local4.Debug 192.168.1.1 Jan 18 2019 00:08:53: %ASA-7-752002: Tunnel Manager Removed entry. Map Tag = Outside_DIA_map2. Map Sequence Number = 2.
2019-01-18 00:14:16 Local4.Info 192.168.1.1 Jan 18 2019 00:08:53: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x0C758779) between 1.1.1.1 and 2.2.2.2 (user= 2.2.2.2) has been created.
2019-01-18 00:14:16 Local4.Info 192.168.1.1 Jan 18 2019 00:08:53: %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x75F79862) between 1.1.1.1 and 2.2.2.2 (user= 2.2.2.2) has been created.
2019-01-18 00:14:41 Local4.Debug 192.168.1.1 Jan 18 2019 00:09:18: %ASA-7-713906: IKE Receiver: Packet received on 1.1.1.1:500 from 2.2.2.2:500
2019-01-18 00:14:41 Local4.Info 192.168.1.1 Jan 18 2019 00:09:18: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xA83B1A84) between 1.1.1.1 and 2.2.2.2 (user= 2.2.2.2) has been created.
2019-01-18 00:14:41 Local4.Info 192.168.1.1 Jan 18 2019 00:09:18: %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x2AE57A94) between 1.1.1.1 and 2.2.2.2 (user= 2.2.2.2) has been created.
2019-01-18 00:20:27 Local4.Debug 192.168.1.1 Jan 18 2019 00:15:04: %ASA-7-751003: Local:1.1.1.1:500 Remote:2.2.2.2:500 Username:2.2.2.2 IKEv2 Need to send a DPD message to peer
2019-01-18 00:20:27 Local4.Debug 192.168.1.1 Jan 18 2019 00:15:05: %ASA-7-713906: IKE Receiver: Packet received on 1.1.1.1:500 from 2.2.2.2:500
2019-01-18 00:20:30 Local4.Debug 192.168.1.1 Jan 18 2019 00:15:07: %ASA-7-713906: IKE Receiver: Packet received on 1.1.1.1:500 from 2.2.2.2:500

 

Labels:
0 Helpful
1 Reply 1

ESPSystex
Level 1
Level 1

‎01-18-2019 03:57 AM

I did find the following which we will be trying shortly: 

 

https://community.cisco.com/t5/firewalls/cisco-asa-vpn-duplicate-entry/td-p/2457232 

0 Helpful
Customers Also Viewed These Support Documents