Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1531
Views
0
Helpful
0
Replies

IKEv2 Error - no matching policy found

mkrishnan
Level 1
Level 1

‎07-03-2023 03:12 PM

Platform:ASR1000

Ver: 17.3.4a

Symptom: Similar to bug reported under CSCvh18158 -- no policy/proposal is matched though its specifically configured for peer and multiple ikev2 SA active sessions are established with status Up-idle

Error:

Jun 29 19:32:08.784: IKEv2:(SESSION ID = 5219749,SA ID = 83):
Jun 29 19:32:08.785: IKEv2:(SESSION ID = 5219749,SA ID = 83):(SA ID = 83):[IPsec -> IKEv2] Callback received for the validate proposal - FAILED.

Jun 29 19:32:08.786: IKEv2-ERROR:(SESSION ID = 5219749,SA ID = 83):Received Policies: : Failed to find a matching policyESP: Proposal 1: AES-CBC-128 SHA256 Don't use ESN

Jun 29 19:32:08.794: IKEv2-ERROR:(SESSION ID = 5219749,SA ID = 83):: Failed to find a matching policy

IKEV2 profile:

IKEv2 profile: Profile_Business_IoT
Ref Count: 2
Match criteria:
Fvrf: global
Local address/interface: none
Identities:
address xx.xxx.xx.xx 255.255.255.255
Certificate maps: none
Local identity: none
Remote identity: none
Local authentication method: pre-share
Remote authentication method(s): pre-share
EAP options: none
Keyring: Keyring_Business_IoT
Trustpoint(s): none
Lifetime: 3600 seconds
DPD: disabled
NAT-keepalive: disabled
Ivrf: none
Virtual-template: none
mode auto: none
AAA AnyConnect EAP authentication mlist: none
AAA EAP authentication mlist: none
AAA Accounting: none
AAA group authorization: none
AAA user authorization: none

Policy: (Policy

IKEv2 policy : 5
Match fvrf : global
Match address local : any
Proposal : proposal5
Proposal : proposal9
Proposal : proposal4
Proposal : proposal10
Proposal : i
Proposal : proposal1
Proposal : proposal2
Proposal : proposal3
Proposal : proposal6
Proposal : proposal7
Proposal : proposal8
Proposal : Business_IoT

IKEv2 policy : Business_IoT (specific policy created for this peer, but always policy 5 is matched)
Match fvrf : global
Match address local : any
Proposal : Business_IoT

 

Proposal: (this matches with peer,  but proposal 1 from policy 5 is used)

IKEv2 proposal: Business_IoT
Encryption : AES-CBC-128
Integrity : SHA256
PRF : SHA256
DH Group : DH_GROUP_2048_MODP/Group 14

crypto map:

Crypto Map IPv4 "ibasisvpn" 2700 ipsec-isakmp
Description: Business-IOT-Testsims
Peer = xx.xx.xx.xx
IKEv2 Profile: Profile_Business_IoT
Extended IP access list Business-IOT-Testsims
access-list Business-IOT-Testsims permit ip 10.68.0.0 0.0.0.15 10.128.0.0 0.127.255.255
Current peer: xx.xx.xx.xx
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group14
Mixed-mode : Disabled
Transform sets={
Business-IOT: { esp-192-aes esp-sha256-hmac } ,
}
Reverse Route Injection Enabled

Attached debug report, please suggest  Thank you

4 people had this problem
Labels:
Preview file
9 KB
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents