cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1940
Views
2
Helpful
24
Replies

ikev2 on C1101-4PLTEP with Cisco FTD

jebankshrcu
Level 1
Level 1

Hi Team:

Am having a hard time to understand what went wrong. The site to site was working but I notice the output below:

 

FAB#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 160.238.160.18/500 200.32.190.146/500 none/none IN-NEG
Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0
Life/Active Time: 86400/0 sec

IPv6 Crypto IKEv2 SA

It was in a ready status before and working but now it does not want to establish

 

24 Replies 24

ccieexpert
Spotlight
Spotlight

Please run these debugs to determine what is going on..

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115935-asa-ikev2-debugs.html

Please also attach config snips from both sides..

what has changed in your environment or config ?

This is from the router side


FABSPLRT#debug crypto ikev2
IKEv2 default debugging is on
FABSPLRT#ter
FABSPLRT#terminal mon
FABSPLRT#terminal monitor
FABSPLRT#

*Aug 6 16:50:45.629: IKEv2:(SESSION ID = 172,SA ID = 1):Received Packet [From 200.32.233.146:500/To 160.238.137.18:500/VRF i0:f0]
Initiator SPI : 7B8B9BA876102514 - Responder SPI : F88F11A06B032970 Message id: 12
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:


*Aug 6 16:50:45.629: IKEv2:(SESSION ID = 172,SA ID = 1):Received DPD/liveness query
*Aug 6 16:50:45.629: IKEv2:(SESSION ID = 172,SA ID = 1):Building packet for encryption.
*Aug 6 16:50:45.629: IKEv2:(SESSION ID = 172,SA ID = 1):Sending ACK to informational exchange

*Aug 6 16:50:45.630: IKEv2:(SESSION ID = 172,SA ID = 1):Sending Packet [To 200.32.233.146:500/From 160.238.137.18:500/VRF i0:f0]
Initiator SPI : 7B8B9BA876102514 - Responder SPI : F88F11A06B032970 Message id: 12
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
ENCR

FABSPLRT#
*Aug 6 16:50:55.327: IKEv2:% Getting preshared key from profile keyring MyRing
*Aug 6 16:50:55.327: IKEv2:% Matched peer block 'BZE'
*Aug 6 16:50:55.327: IKEv2:(SESSION ID = 0,SA ID = 0):Searching Policy with fvrf 0, local address 160.238.137.18
*Aug 6 16:50:55.327: IKEv2:(SESSION ID = 0,SA ID = 0):Found Policy 'BZE'
*Aug 6 16:50:55.328: IKEv2:(SESSION ID = 172,SA ID = 1):Check for IPSEC rekey
*Aug 6 16:50:55.328: IKEv2:(SESSION ID = 172,SA ID = 1):Set IPSEC DH group
*Aug 6 16:50:55.328: IKEv2:(SESSION ID = 172,SA ID = 1):Checking for PFS configuration
*Aug 6 16:50:55.328: IKEv2:(SESSION ID = 172,SA ID = 1):PFS not configured
*Aug 6 16:50:55.328: IKEv2:(SESSION ID = 172,SA ID = 1):Generating CREATE_CHILD_SA exchange
*Aug 6 16:50:55.329: IKEv2:(SESSION ID = 172,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA256 Don't use ESN
*Aug 6 16:50:55.329: IKEv2:(SESSION ID = 172,SA ID = 1):Building packet for encryption.
Payload contents:
SA N TSi TSr
*Aug 6 16:50:55.329: IKEv2:(SESSION ID = 172,SA ID = 1):Checking if request will fit in peer window

*Aug 6 16:50:55.330: IKEv2:(SESSION ID = 172,SA ID = 1):Sending Packet [To 200.32.233.146:500/From 160.238.137.18:500/VRF i0:f0]
Initiator SPI : 7B8B9BA876102514 - Responder SPI : F88F11A06B032970 Message id: 14
IKEv2 CREATE_CHILD_SA Exchange REQUEST
Payload contents:
ENCR


*Aug 6 16:50:55.364: IKEv2:(SESSION ID = 172,SA ID = 1):Received Packet [From 200.32.233.146:500/To 160.238.137.18:500/VRF i0:f0]
Initiator SPI : 7B8B9BA876102514 - Responder SPI : F88F11A06B032970 Message id: 14
IKEv2 CREATE_CHILD_SA Exchange RESPONSE
Payload contents:
NOTIFY(TS_UNACCEPTABLE)

*Aug 6 16:50:55.365: IKEv2:(SESSION ID = 172,SA ID = 1):Processing any notify-messages in child SA exchange
*Aug 6 16:50:55.365: IKEv2-ERROR:(SESSION ID = 172,SA ID = 1):
*Aug 6 16:50:55.365: IKEv2-ERROR:(SESSION ID = 172,SA ID = 1):: Create child exchange failed
*Aug 6 16:50:55.365: IKEv2:(SESSION ID = 172,SA ID = 1):IPSec SA create failed
*Aug 6 16:50:55.365: IKEv2:(SESSION ID = 172,SA ID = 1):Abort exchange
*Aug 6 16:50:55.365: IKEv2:(SESSION ID = 172,SA ID = 1):Sending DELETE INFO message for IPsec SA [SPI: 0x2A4F92EF]
*Aug 6 16:50:55.365: IKEv2:(SESSION ID = 172,SA ID = 1):Building packet for encryption.
Payload contents:
DELETE
*Aug 6 16:50:55.366: IKEv2:(SESSION ID = 172,SA ID = 1):Checking if request will fit in peer window

*Aug 6 16:50:55.366: IKEv2:(SESSION ID = 172,SA ID = 1):Sending Packet [To 200.32.233.146:500/From 160.238.137.18:500/VRF i0:f0]
Initiator SPI : 7B8B9BA876102514 - Responder SPI : F88F11A06B032970 Message id: 15
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR

*Aug 6 16:50:55.367: IKEv2:(SESSION ID = 172,SA ID = 1):Check for existing IPSEC SA

*Aug 6 16:50:55.403: IKEv2:(SESSION ID = 172,SA ID = 1):Received Packet [From 200.32.233.146:500/To 160.238.137.18:500/VRF i0:f0]
Initiator SPI : 7B8B9BA876102514 - Responder SPI : F88F11A06B032970 Message id: 15
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:


*Aug 6 16:50:55.404: IKEv2:(SESSION ID = 172,SA ID = 1):Processing ACK to informational exchange
*Aug 6 16:50:55.404: IKEv2:(SESSION ID = 172,SA ID = 1):Check for existing IPSEC SA

*Aug 6 16:50:55.629: IKEv2:(SESSION ID = 172,SA ID = 1):Received Packet [From 200.32.233.146:500/To 160.238.137.18:500/VRF i0:f0]
Initiator SPI : 7B8B9BA876102514 - Responder SPI : F88F11A06B032970 Message id: 13
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:


*Aug 6 16:50:55.629: IKEv2:(SESSION ID = 172,SA ID = 1):Received DPD/liveness query
*Aug 6 16:50:55.629: IKEv2:(SESSION ID = 172,SA ID = 1):Building packet for encryption.
*Aug 6 16:50:55.630: IKEv2:(SESSION ID = 172,SA ID = 1):Sending ACK to informational exchange

*Aug 6 16:50:55.630: IKEv2:(SESSION ID = 172,SA ID = 1):Sending Packet [To 200.32.233.146:500/From 160.238.137.18:500/VRF i0:f0]
Initiator SPI : 7B8B9BA876102514 - Responder SPI : F88F11A06B032970 Message id: 13
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
ENCR


*Aug 6 16:51:05.628: IKEv2:(SESSION ID = 172,SA ID = 1):Received Packet [From 200.32.233.146:500/To 160.238.137.18:500/VRF i0:f0]
Initiator SPI : 7B8B9BA876102514 - Responder SPI : F88F11A06B032970 Message id: 14
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:


*Aug 6 16:51:05.629: IKEv2:(SESSION ID = 172,SA ID = 1):Received DPD/liveness query
*Aug 6 16:51:05.629: IKEv2:(SESSION ID = 172,SA ID = 1):Building packet for encryption.
*Aug 6 16:51:05.629: IKEv2:(SESSION ID = 172,SA ID = 1):Sending ACK to informational exchange

*Aug 6 16:51:05.629: IKEv2:(SESSION ID = 172,SA ID = 1):Sending Packet [To 200.32.233.146:500/From 160.238.137.18:500/VRF i0:f0]
Initiator SPI : 7B8B9BA876102514 - Responder SPI : F88F11A06B032970 Message id: 14
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
ENCR


*Aug 6 16:51:15.628: IKEv2:(SESSION ID = 172,SA ID = 1):Received Packet [From 200.32.233.146:500/To 160.238.137.18:500/VRF i0:f0]
Initiator SPI : 7B8B9BA876102514 - Responder SPI : F88F11A06B032970 Message id: 15
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:


*Aug 6 16:51:15.629: IKEv2:(SESSION ID = 172,SA ID = 1):Received DPD/liveness query
*Aug 6 16:51:15.629: IKEv2:(SESSION ID = 172,SA ID = 1):Building packet for encryption.
*Aug 6 16:51:15.629: IKEv2:(SESSION ID = 172,SA ID = 1):Sending ACK to informational exchange

*Aug 6 16:51:15.629: IKEv2:(SESSION ID = 172,SA ID = 1):Sending Packet [To 200.32.233.146:500/From 160.238.137.18:500/VRF i0:f0]
Initiator SPI : 7B8B9BA876102514 - Responder SPI : F88F11A06B032970 Message id: 15
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
ENCR

now the output on the router looks like this:

FABSPLRT#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 160.238.137.18/500 200.32.233.146/500 none/none READY
Encr: AES-GCM, keysize: 256, PRF: SHA256, Hash: None, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/472 sec

 

Firewall output:

> show crypto ikev2 sa

IKEv2 SAs:

Session-id:158, Status:UP-ACTIVE, IKE count:1, CHILD count:2

Tunnel-id Local Remote Status Role
2683320751 200.32.233.146/500 160.238.137.18/500 READY INITIATOR
Encr: AES-GCM, keysize: 256, Hash: N/A, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/461 sec
Child sa: local selector 192.168.2.100/0 - 192.168.2.103/65535
remote selector 10.20.20.0/0 - 10.20.20.255/65535
ESP spi in/out: 0xa561840d/0xb1cd5100
Child sa: local selector 192.168.1.248/0 - 192.168.1.251/65535
remote selector 10.20.20.0/0 - 10.20.20.255/65535
ESP spi in/out: 0xef50cde9/0x3a9d93e5

 

 

This output is good there is no problem at all

This peer is initatior, and work and you mentioned that sometime ipsec tunnel not work, so check if this peer behand statful policy allow one direction of traffic.

MHM

So it was working before but I had changed the lifetime from 22800 to 86400 because the issue I was having was that I had to ping on both ends for the tunnel to establish if that happens it will work good for the day but for the other day I would have to start ping from both end again so I was trying to troubleshoot that issue but now I got this issue.

the lifetime not effect so effect IPsec 
what most important which peer  is initiator in ipsec and which is responder 
Peer1- statful ACL-Peer2
here the Peer2 can not be initiator since the ACL always drop the 500 udp traffic so it always be responder
Peer1 always be initiator since it can open hole in ACL for return traffic 

if you see your IPsec drop and can not be UP try use IP SLA from Peer1 to Peer2 this make Peer1 always have traffic to encrypt and always initiate IPsec

MHM

ok so in my case I want Peer1(remote branch) be the initiator. in my case it's the router? how can I do that? I sent router config in the last response. Thats the config that i currently have. Note tunnel is not up at the moment. 

In router only use 

Ping <remote lan IP> source <local lan IP>

Remote LAN and local LAN what you use in acl of vpn

MHM

FABSPLRT#ping 192.168.1.251 source vlan20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.251, timeout is 2 seconds:
Packet sent with a source address of 10.20.20.1
.....
Success rate is 0 percent (0/5)

VPN ACL from router perspective 

Extended IP access list BZE
5 permit ip 10.20.20.0 0.0.0.255 192.168.2.0 0.0.0.255 (566 matches)
10 permit ip 10.20.20.0 0.0.0.255 192.168.1.0 0.0.0.255 (801 matches)

In this acl I deny the interested traffic that I want to go through the tunnel and then the rest is for when users needs to browse internet

Extended IP access list Internal
2 deny ip 10.20.20.0 0.0.0.255 192.168.1.0 0.0.0.255
4 deny ip 10.20.20.0 0.0.0.255 192.168.2.0 0.0.0.255
10 permit ip 10.20.20.0 0.0.0.255 any log (4 matches)
20 deny ip any any log

 

Debug crypto ikev2 packet <- in router if you see retransmit when ping from router 

Then router can not be initiator and only be responder' and ftd can initiate ipsec (also you can ping to initiate traffic via ftd)

MHM

this is what the debug looks like when i try the ping within router by sourcing:

 

ccieexpert
Spotlight
Spotlight

NOTIFY(TS_UNACCEPTABLE) - this means the traffic selectors are not matching. Please make sure the crypto ACL on both side are the mirror of each other... It looks like you have more than 1 ACE entries and the 2nd  or more is failing .. Please check and make sure they are mirrors and run debugs on both sides again if there are issues.

**Please rate as helpful if this was useful **

jebankshrcu
Level 1
Level 1

@CCIT 
i already check those. am attaching the config.

@MHM Cisco World  

it was working but like I mention the tunnel needed to ping from both end the following day for it to work again. So, i was changing some timers but from there i cannot bring it up again. shows like its ready but now i cannot ping across. Config attached.

 

sorry I make you waiting 
now 
why you use lifetime byte account? this can lead one side clear IPSec SA and other keep it ?
what is phaseII SA you use in both side ? are you use AES-GCM ?

MHM

Review Cisco Networking for a $25 gift card