Establishing Direct IPSEC v6 tunnel between Cisco CSR and NSX-EP

somj.shukla · ‎01-20-2022

I'm trying to establish IPv6 in IPv6 direct tunnels between Cisco CSR router and NSX-EP. I see phase1 negotiation succeeds but phase2 negotiation fails with following error:

Jan 20 20:24:51.512: IKEv2:(SESSION ID = 28799,SA ID = 2):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
*Jan 20 20:24:51.512: IKEv2:(SESSION ID = 28799,SA ID = 2):Session with IKE ID PAIR (FD00:1:1:1::2, FD00:BBBB:1:11::1) is UP
*Jan 20 20:24:51.512: IKEv2:IKEv2 MIB tunnel started, tunnel index 2
*Jan 20 20:24:51.512: IKEv2:(SESSION ID = 28799,SA ID = 2):Load IPSEC key material
*Jan 20 20:24:51.512: IKEv2:(SA ID = 2):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
*Jan 20 20:24:51.512: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jan 20 20:24:51.513: IPSEC:(SESSION ID = 28799) (crypto_ipsec_create_ipsec_sas) Map found Tunnel11-head-0, 65537
*Jan 20 20:24:51.513: crypto_engine: Generate IKEv2 keying
*Jan 20 20:24:51.513: crypto_engine_ipsec_key_create_by_keys: Error: unsupported capability IPv6 and UDP-encaps
*Jan 20 20:24:51.513: IPSEC:(SESSION ID = 28799) (get_old_outbound_sa_for_peer) No outbound SA found for peer 7FA9A9926BB8
*Jan 20 20:24:51.513: IPSEC:(SESSION ID = 28799) (update_current_outbound_sa) updated peer FD00:1:1:1::2 current outbound sa to SPI 0
*Jan 20 20:24:51.513: IPSEC(send_delete_notify_kmi): ASSERT FAILED: Decrement count mismatch for sibling :7FA9A98F5778
*Jan 20 20:24:51.513: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
*Jan 20 20:24:51.513: crypto engine: deleting IPSec SA ???
*Jan 20 20:24:51.513: delete_ipsec_sa: no such crypto engine
*Jan 20 20:24:51.513: crypto engine: deleting IPSec SA ???
*Jan 20 20:24:51.513: delete_ipsec_sa: no such crypto engine
*Jan 20 20:24:51.513: IPSEC(ident_send_delete_notify_kmi): not in msg context Ident Delete SA msg: 0
*Jan 20 20:24:51.513: IKEv2:(SA ID = 2):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database FAILED
*Jan 20 20:24:51.515: IKEv2:(SESSION ID = 28799,SA ID = 2):: Creation/Installation of IPsec SA into IPsec DB failed
*Jan 20 20:24:51.515: IKEv2:(SESSION ID = 28799,SA ID = 2):Queuing IKE SA delete request reason: unknown
*Jan 20 20:24:51.515: IKEv2:(SESSION ID = 28799,SA ID = 2):Sending DELETE INFO message for IPsec SA [SPI: 0xDE324A31]
*Jan 20 20:24:51.515: IKEv2:(SESSION ID = 28799,SA ID = 2):Building packet for encryption.
Payload contents:

Can someone throw some light into it.