- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-27-2024 01:48 AM
Cisco IOS XE Software, Version 17.05.01a
Cisco IOS Software [Bengaluru], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 17.5.1a, RELEASE SOFTWARE (fc3)
Yes, this is a new configuration (now we use easyvpn and need to migrate) and I have a working traspoint, I get the certificate and the first phase is initialized and the tunnel is up. After entering the login/password this happens. Then I see in the logs that the client is initializing the tunnel deletion, here is how it looks like.
Dec 26 09:59:14.908: IPSEC:(SESSION ID = 60) (create_sa) sa created,
(sa) sa_dest= ****PEER-IP-ADDRESS****, sa_proto= 50,
sa_spi= 0x124AFF43(306904899),
sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 2646
sa_lifetime(k/sec)= (4608000/86400),
(identity) local= ****ISR-IP-ADDRESS****:0, remote= ****PEER-IP-ADDRESS****:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 10.130.18.13/255.255.255.255/256/0
Dec 26 09:59:14.921: IPSEC(rte_mgr): VPN Route Event Install new outbound sa: Create IPV4 route from ACL for ****PEER-IP-ADDRESS****
Dec 26 09:59:14.922: IPSEC(rte_mgr): VPN Route Refcount 1 Virtual-Access2
Dec 26 09:59:14.922: IPSEC(rte_mgr): VPN Route Added 10.130.18.13 255.255.255.255 via Virtual-Access2 in IP DEFAULT TABLE with tag 0 distance 1
Dec 26 09:59:14.922: IKEv2:(SESSION ID = 60,SA ID = 1):(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED
Dec 26 2024 09:59:14.922 EET: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
Dec 26 09:59:14.926: IKEv2:(SESSION ID = 60,SA ID = 1):Checking for duplicate IKEv2 SA
Dec 26 09:59:14.926: IKEv2:(SESSION ID = 60,SA ID = 1):No duplicate IKEv2 SA found
Dec 26 09:59:14.926: IKEv2:(SESSION ID = 60,SA ID = 1):Starting timer (8 sec) to delete negotiation context
Dec 26 09:59:14.934: IKEv2:(SESSION ID = 60,SA ID = 1):Received Packet [From ****PEER-IP-ADDRESS****:55976/To ****ISR-IP-ADDRESS****:4500/VRF i0:f0]
Initiator SPI : B21A1971F9A72019 - Responder SPI : D4B671E5BCC66C25 Message id: 6
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
DELETE NOTIFY(DELETE_REASON)
Dec 26 09:59:14.935: IKEv2:(SESSION ID = 60,SA ID = 1):Building packet for encryption.
Dec 26 09:59:14.936: IKEv2:(SESSION ID = 60,SA ID = 1):Sending Packet [To ****PEER-IP-ADDRESS****:55976/From ****ISR-IP-ADDRESS****:4500/VRF i0:f0]
Initiator SPI : B21A1971F9A72019 - Responder SPI : D4B671E5BCC66C25 Message id: 6
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
ENCR
Dec 26 09:59:14.937: IKEv2:(SESSION ID = 60,SA ID = 1):Process delete request from peer
Dec 26 09:59:14.937: IKEv2:(SESSION ID = 60,SA ID = 1):Processing DELETE INFO message for IKEv2 SA [ISPI: 0xB21A1971F9A72019 RSPI: 0xD4B671E5BCC66C25]
Dec 26 09:59:14.937: IKEv2:(SESSION ID = 60,SA ID = 1):Check for existing active SA
Dec 26 09:59:14.937: IKEv2:(SESSION ID = 60,SA ID = 1):Delete all IKE SAs
Dec 26 09:59:14.937: IKEv2:(SESSION ID = 60,SA ID = 1):Deleting SA
Dec 26 09:59:14.937: IKEv2-ERROR:IKEv2 tunnel stop failed tunnel info 0x80007FDA18896A80
Dec 26 2024 09:59:14.937 EET: %CRYPTO-5-IKEV2_SESSION_STATUS: Crypto tunnel v2 is DOWN. Peer ****PEER-IP-ADDRESS****:55976 Id: *$AnyConnectClient$*
Dec 26 09:59:14.939: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Dec 26 09:59:14.939: IDB is NULL : in crypto_ipsec_key_engine_delete_sas (), 6305
Dec 26 09:59:14.939: IPSEC:(SESSION ID = 60) (key_engine_delete_sas) rec'd delete notify from ISAKMP
Dec 26 09:59:14.939: IPSEC:(SESSION ID = 60) (key_engine_delete_sas) delete SA with spi 0xE73AAD25 proto 50 for ****ISR-IP-ADDRESS****
Dec 26 09:59:14.939: IPSEC:(SESSION ID = 60) (delete_sa) deleting SA,
